Atlassian has escalated a vulnerability in its Confluence software to the highest critical rating following reports that unpatched Confluence servers are being hit with ransomware.
The Australian company first published an advisory for the authorisation vulnerability last Tuesday but recently updated it to get the word out that bad actors are using the security flaw to attack internet-facing Confluence servers en masse.
“As part of Atlassian's ongoing monitoring and investigation of this CVE, we observed several active exploits and reports of threat actors using ransomware,” the company said.
“We have escalated CVE-2023-22518 from CVSS 9.1 to 10, the highest critical rating, due to the change in the scope of the attack.”
All versions of Confluence Data Centre and Server “require immediate attention”, Atlassian said.
But cloud sites – those hosted by Atlassian and accessed through an Atlassian.net domain – are unaffected.
The company recommends patching all affected installations to the versions listed in its advisory. If you can’t immediately patch, it recommends backing up your instance, and taking it offline or restricting network access.
Initially, it warned of the possibility that affected servers could face “significant data loss”.
Two days after it had gone public, Atlassian said there had not been reports of active exploitation. But as time went on, the reports started rolling in.
🚨Confluence exploit (CVE-2023-22518) Leads to C3RB3R Ransomware🚨
— The DFIR Report (@TheDFIRReport) November 6, 2023
➡️Exploit source: 193.187.172.73
➡️Download & Exec: http://193[.]187[.]172[.]73/tmp[.]1u
➡️Lateral Movement: Attempts to spread over SMB/445
➡️Extension: LOCK3D
h/t @GreyNoiseIO pic.twitter.com/VdO5EUjPOj
Security firm Rapid7 said this week that it had seen exploitation “in multiple customer environments, including for ransomware deployment”. The Rapid7 team describes how a single post request led to the installation of Cerber ransomware on Confluence servers.
Atlassian’s vulnerability shows how bad actors can mass exploit vulnerabilities in just a matter of days and highlights the need for businesses to patch their systems.
Last month, Home Affairs Minister Clare O’Neil criticised Australian businesses for continuing to leave their vulnerable software unpatched, sometimes years after fixes were made public.
“The vast majority of cyber attacks are completely preventable, if you take pretty straightforward steps,” O’Neil said. “Regular patching is one of them.”