Proof-of-concept (PoC) code for an actively exploited critical flaw in Atlassian Confluence software has been released over the weekend.
Disclosed last week, the vulnerability is tracked as CVE-2022-26134. The bug is described as an input validation error, which allows a remote non-authenticated attacker send a specially crafted request to the Confluence Server and execute arbitrary code on the system. The issue affects all supported versions of Confluence Server and Data Center.
On Friday, Atlassian released a fix to address the vulnerability. The fixed versions are: 7.4.17, 7.13.7, 7.14.3, 7.15.2, 7.16.4, 7.17.4, 7.18.1.
“All versions of Confluence Server and Data Center prior to the fixed versions listed above are affected by this vulnerability,” the company said.
Customers unable to upgrade Confluence immediately can use a temporary workaround provided by Atlassian.
According to Censys, they found around 9,325 services across 8,347 distinct hosts running some version of Atlassian Confluence.
“Of those services, most Confluence versions we identified were v7.13.0 (1,137 hosts), v7.13.2 (690 hosts), and v7.13.5 (429 hosts); and if the advisory is accurate, all of these versions are susceptible to this new attack,” the researchers said.
The majority of the vulnerable hosts are located in the US, China and Germany.
Soon after the CVE-2022-26134 vulnerability was publicly disclosed, proof-of-concept exploit for this bug were published demonstrating how to create new admin accounts, force DNS requests, gather information, and generate reverse shells.
The cybersecurity company Grey Noise reported that they observed widespread exploitation of CVE-2022-26134 over the weekend. As of June 5, 400 unique IP addresses were seen exploiting the vulnerability.