The U.S. Cybersecurity and Infrastructure Agency, the Federal Bureau of Investigation and the Multi-State Information Sharing and Analysis Center today released a Cybersecurity Advisory over a recently disclosed vulnerability in Atlassian Corp.’s Confluence Data Center and Server that opens the door to malicious cyber threat actors.

Tracked as CVE-2023-22515, the vulnerability has a Common Vulnerabilities and Exposure score of 10, the highest possible rating. The vulnerability is a critical Broken Access Control vulnerability affecting versions of Atlassian Confluence Data Center and Server ranging from 8.0.0 through to 8.5.1.

Using the vulnerability, unauthenticated remote threat actors can create unauthorized Confluence administrator accounts and access Confluence instances. With the access, threat actors can change the Confluence server’s configuration to indicate the setup is not complete and use the /setup/setupadministrator.action endpoint to create a new administrator user. The vulnerability is said to be triggered via a request on the unauthenticated /server-info.action endpoint.

A patch for the vulnerability was released on Oct. 4, but as is not usual in these cases, not all Atlassian users have applied the patch and the vulnerability is continuing to be exploited, which is why CISA, the FBI and MS-ISAC have issued the advisory. Users of Confluence Data Center and Server are urged to immediately apply the patch to their affected devices.

The need to patch was emphasized by Zane Bond, head of product at passwords and secrets management company Keeper Security Inc., who told SiliconANGLE that it is being actively exploited and should be patched immediately.

“The ease of exploitation makes it critical for Atlassian customers to upgrade their Confluence instance as soon as possible to one of the fixed versions or take the service offline until it can be updated, especially now that this vulnerability is public knowledge.,” Bond explained. “Additionally, employees need to be hyper-vigilant when it comes to indicators of compromise, including new or suspicious admin user accounts.”

One group exploiting the vulnerability is believed to be Storm-0062, also known as Dark Shadow and Oro0lxy. According to a report from Bleeping Computer on Oct. 11, Storm-0062 is allegedly a state hacking group linked to China’s Ministry of State Security and is known for targeting software, engineering, medical research, government, defense and tech firms in the U.S., the U.K., Australia and various European countries to collect intelligence.

Photo: Atlassian