Thousands of exploit attacks on Atlassian Confluence, week after disclosing the issue

published: Jan. 22, 2024

Take action: If you had any argument to delay patcing a self-hosted Confluence instance, that argument is gone. Wake up your engineering team, isolate the instance from the internet and start patching NOW. Because hackers are actively looking for Confluence.


Learn More

Security experts have observed massive exploitation attempts of the critical Atlassian Confluence remote code execution flaw, CVE-2023-22527, affecting outdated Confluence Data Center and Server versions before December 5, 202

The Shadowserver Foundation reported over 39,000 exploitation attempts, primarily from Russian IP addresses, targeting the vulnerability. Attackers are using methods like the 'whoami' command to identify system access levels. Shadowserver detected around 11,100 public internet-accessible Confluence instances, though not all are vulnerable.

This vulnerability is significant due to its potential for unauthenticated remote code execution, raising serious concerns for organizations, especially those using Confluence for sensitive content. The flaw poses risks of direct server access, information theft, and further attacks. Organizations with outdated Confluence instances are advised to treat them as compromised, look for exploitation signs, and update to secure versions.

Thousands of exploit attacks on Atlassian Confluence, week after disclosing the issue