Monday, February 10, 2025
HomeCyber Security NewsHackers Exploit Atlassian Confluence Zero-day Flaw to Create Admin Account

Hackers Exploit Atlassian Confluence Zero-day Flaw to Create Admin Account

Published on

SIEM as a Service

Follow Us on Google News

The widely adopted Atlassian Confluence has been discovered with a zero-day vulnerability, which could allow threat actors to create an admin account on the Confluence servers and perform malicious activities.

This particular issue has been reported by a lot of Atlassian customers and is known to be actively being exploited in the wild by attackers. The vulnerability is currently identified as CVE-2023-22515 and has a severity of 10.0 (Critical), as per Atlassian.

CVE-2023-22515 – Privilege Escalation Vulnerability

The details of this vulnerability haven’t been disclosed by Atlassian yet. However, as per reports, this vulnerability affects publicly accessible confluence data centers and servers in which threat actors were able to create unauthorized administrator accounts and access confluence instances.

Document
FREE Demo

Deploy Advanced AI-Powered Email Security Solution

Implementing AI-Powered Email security solutions “Trustifi” can secure your business from today’s most dangerous email threats, such as Email Tracking, Blocking, Modifying, Phishing, Account Take Over, Business Email Compromise, Malware & Ransomware

“Instances on the public internet are particularly at risk, as this vulnerability is exploitable anonymously.” reads the security advisory by Atlassian. 

Affected Products and Fixed Versions

ProductAffected VersionsFixed in Versions
Confluence Data Center and Confluence Server8.0.0, 8.0.1, 8.0.2, 8.0.3, 8.0.4, 8.1.0, 8.1.1, 8.1.3, 8.1.4, 8.2.0, 8.2.1, 8.2.2, 8.2.3, 8.3.0, 8.3.1, 8.3.2, 8.4.0, 8.4.1, 8.4.2, 8.5.0, 8.5.18.3.3 or later8.4.3 or later8.5.2 (Long Term Support release) or later

Source: Atlassian

Mitigation and Threat Detection

As part of mitigating this issue, Atlassian has recommended its users block access to the /setup/* endpoints on Confluence instances which can be done by the following steps,

  1. modify /<confluence-install-dir>/confluence/WEB-INF/web.xml  and add the following block of code (just before the </web-app> tag at the end of the file):
<security-constraint>
      <web-resource-collection>
        <url-pattern>/setup/*</url-pattern>
<http-method-omission>*</http-method-omission>
</web-resource-collection>
      <auth-constraint />
</security-constraint>
  1. Restart Confluence

As part of threat detection, Atlassian has recommended its users check all affected Confluence instances for the following indicators of compromise:

  • unexpected members of the confluence-administrators group
  • unexpected newly created user accounts
  • requests to /setup/*.action in network access logs
  • presence of /setup/setupadministrator.action in an exception message in Atlassian-confluence-security.log in the Confluence home directory

For additional information, the Atlassian security advisory can be followed, which can be found here.

Protect yourself from vulnerabilities using Patch Manager Plus to patch over 850 third-party applications quickly. Take advantage of the free trial to ensure 100% security.

Eswar
Eswar
Eswar is a Cyber security content editor with a passion for creating captivating and informative content. With years of experience under his belt in Cyber Security, he is covering Cyber Security News, technology and other news.

Latest articles

Tor Browser 14.0.6 Released, What’s New!

The Tor Project has officially unveiled Tor Browser 14.0.6, now accessible for download from the...

Hackers Exploit AnyDesk Vulnerability to Gain Admin Access – PoC Released

A newly discovered vulnerability in AnyDesk, the popular remote desktop software, has sparked serious...

UK Pressures Apple to Create Global Backdoor To Spy on Encrypted iCloud Access

United Kingdom has reportedly ordered Apple to create a backdoor allowing access to all...

Autonomous LLMs Reshaping Pen Testing: Real-World AD Breaches and the Future of Cybersecurity

Large Language Models (LLMs) are transforming penetration testing (pen testing), leveraging their advanced reasoning...

Supply Chain Attack Prevention

Free Webinar - Supply Chain Attack Prevention

Recent attacks like Polyfill[.]io show how compromised third-party components become backdoors for hackers. PCI DSS 4.0’s Requirement 6.4.3 mandates stricter browser script controls, while Requirement 12.8 focuses on securing third-party providers.

Join Vivekanand Gopalan (VP of Products – Indusface) and Phani Deepak Akella (VP of Marketing – Indusface) as they break down these compliance requirements and share strategies to protect your applications from supply chain attacks.

Discussion points

Meeting PCI DSS 4.0 mandates.
Blocking malicious components and unauthorized JavaScript execution.
PIdentifying attack surfaces from third-party dependencies.
Preventing man-in-the-browser attacks with proactive monitoring.

More like this

Tor Browser 14.0.6 Released, What’s New!

The Tor Project has officially unveiled Tor Browser 14.0.6, now accessible for download from the...

Hackers Exploit AnyDesk Vulnerability to Gain Admin Access – PoC Released

A newly discovered vulnerability in AnyDesk, the popular remote desktop software, has sparked serious...

UK Pressures Apple to Create Global Backdoor To Spy on Encrypted iCloud Access

United Kingdom has reportedly ordered Apple to create a backdoor allowing access to all...