U.S. Cyber Command Warns of Active Mass Exploitation Attempts Targeting Confluence Flaws

The cybersecurity authorities of the U.S. Cyber command have recently been notified regarding the increase in the number of scans and attempts to exploit a newly identified vulnerability in corporate servers along with the Atlassian Confluence wiki engine installed.

CVE-2021-26084 in Confluence Server and Confluence Data Center software is the vulnerability that has been confirmed by security experts. This vulnerability generally enables the threat actors to perform arbitrary code, but the main problem is related to the inaccurate processing of input data.

Not only this but the security researchers also asserted that it can be exploited to bypass authentication and to administer malicious OGNL commands, that will fully compromise a vulnerable system.

What is the issue?

The cybersecurity analysts have detected a vulnerability in Atlassian’s Confluence software on August 25th, and soon after detection, they published the vulnerability details.


According to the report, a cybersecurity researcher called SnowyOwl (Benny Jacob) discovered that an unauthenticated user could easily run arbitrary code just by targetting HTML fields that are interpreted and executed by the Object-Graph Navigation Language (OGNL). 

The important point is that the analysts have investigated the vulnerability and they found that the internet had above 14,637 exposed and vulnerable Confluence servers. 

After detecting the vulnerable servers, they compared it with the September 1st, and there they recognized 14,701 services that self-identified as a Confluence server. 

And not only this but apart from the servers, there are, 13,596 ports and 12,876 individual IPv4 hosts that are continuously running an exploitable version of the software.

Flaw profile

  • CVE ID: CVE-2021-26084
  • Version: CVSS version 3.x
  • CVSS Score: 9.8
  • Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

The flaw: CVE-2021-26084

However, in the CVE-2021-26084, all the vulnerable endpoints can easily be obtained by a non-administrator user or an unauthenticated user only if ‘Allow people to sign up to create their account’ is being permitted. 

Not only this but one can easily check whether this option is being allowed or not, by simply going to COG > User Management > User Signup Options. 

What do You Need to Do? 

Apart from this, Atlassian suggests the users upgrade to the latest Long Term Support release, and not only this but users can also download the latest version from the download center.

  • In case if you are managing an affected version then upgrade it to version 7.13.0 (LTS) or higher.
  • In case if you are operating 6.13.x versions and cannot upgrade to 7.13.0 (LTS) then at least upgrade to version 6.13.23.
  • If you are running 7.4.x versions and cannot upgrade to 7.13.0 (LTS) then upgrade to version 7.4.11.
  • If you are running 7.11.x versions and cannot upgrade to 7.13.0 (LTS) then at least upgrade to version 7.11.6.
  • In case if you are running 7.12.x versions and cannot upgrade to 7.13.0 (LTS) then upgrade to version 7.12.5.

Affected Versions

Here’s the list of all the affected versions:-

  • All 4.x.x versions
  • All 5.x.x versions
  • All 6.0.x versions
  • All 6.1.x versions
  • All 6.2.x versions
  • All 6.3.x versions
  • All 6.4.x versions
  • All 6.5.x versions
  • All 6.6.x versions 
  • All 6.7.x versions
  • All 6.8.x versions
  • All 6.9.x versions
  • All 6.10.x versions
  • All 6.11.x versions
  • All 6.12.x versions 
  • All 6.13.x versions before 6.13.23
  • All 6.14.x versions 
  • All 6.15.x versions 
  • All 7.0.x versions
  • All 7.1.x versions
  • All 7.2.x versions
  • All 7.3.x versions
  • All 7.4.x versions before 7.4.11
  • All 7.5.x versions
  • All 7.6.x versions 
  • All 7.7.x versions
  • All 7.8.x versions
  • All 7.9.x versions
  • All 7.10.x versions
  • All 7.11.x versions before 7.11.6
  • All 7.12.x versions before 7.12.5

Here’s the list of all the versions that are fixed mentioned below:-

  • 6.13.23
  • 7.4.11
  • 7.11.6
  • 7.12.5
  • 7.13.0


In case if the users can not upgrade to Confluence as soon as possible, then as a substitute workaround, users can mitigate the problem by operating the script that we have mentioned below for the Operating System which is being hosted by Confluence.

Confluence Server or Data Center Node running on Linux-based Operating System…

Confluence Server or Data Center Node running on Microsoft Windows…

The report of Atlassian pronounced that Confluence’s customer base comprises nearly 60,000 companies and organizations, which also includes:- 

  • Audi
  • Hubspot
  • NASA
  • LinkedIn
  • Twilio
  • Docker 

However, as the popularity of Confluence software is increasing at a rapid speed, and that’s why security experts are expecting a rise in the number of attacks using this problem in the coming days.

You can follow us on LinkedinTwitterFacebook for daily Cybersecurity and hacking news updates.

BALAJI is a Former Security Researcher (Threat Research Labs) at Comodo Cybersecurity. Editor-in-Chief & Co-Founder - Cyber Security News & GBHackers On Security.


Please enter your comment!
Please enter your name here