A new zero-day flaw found on the Atlassian Confluence was detected to have been actively exploited by threat actors to inject malicious web shells. The flaw, tracked as CVE-2022-26134, has no available patch for now.
The software company had also released an advisory regarding the zero-day flaw, where they revealed it to be a critical unauthenticated RCE (Remote Code Execution) vulnerability existing in the Confluence Server 7.18.0 and the Data Center 7.4.0, with the Confluence Server being the most exploited.
Since the fix for this new zero-day flaw has yet to be released, Atlassian advised their clients to lock their Confluence Servers through a few methods.
The first method shared by the software firm is to restrict Confluence Server and Data Center instances online, and the other one is to disable Confluence Server and Data Center altogether. Researchers stressed that there are no other measures to patch the flaw aside from the two mitigations mentioned.
On the other hand, companies using the Atlassian Cloud remained unaffected by the critical flaw. The software firm assures its clients that they diligently work on the issue and will release new updates, possibly including the patch, as it becomes available.
CISA has already added the new zero-day flaw to the wide array of its known vulnerabilities catalogue. The security agency also obliged federal organisations to block all traffic to Confluence servers beginning the 3rd of June.
Cybersecurity analysts disclosed that the vulnerability was found during an incident response procedure. The investigation also revealed the possibility of reproducing the exploit against the most updated version of the Confluence Server, thus, immediately reporting it to Atlassian. Moreover, the review of the flaw had uncovered its origination, which is from a threat actor performing an exploit for a remote code execution attack.
During the attacker’s activity, they installed a JSP web shell called BEHINDER, which allows them to remotely launch commands against the compromised servers. Then, the attacker injected the China Chopper web shell and other file upload tools for backups.
The analysts who investigated the flaw believe that China-based threat operators have been utilising it. Since the fix for the zero-day Atlassian Confluence zero-day flaw is not yet offered, admins are strongly advised to disconnect their servers from the web.
