Feds Urge Patching For Critical Vulnerability In Confluence Servers

CISA and FBI said they ‘strongly encourage’ the immediate deployment of the vulnerability in the Atlassian-owned platform.


CISA and the FBI urged deployment “immediately” of patches for a critical-severity privilege escalation vulnerability in Atlassian Confluence.

The federal agencies issued the advisory on Monday, saying they “strongly encourage” network admins to implement the patches for Confluence servers.

[Related: Cisco Discloses ‘Critical’ Zero-Day Vulnerability In IOS XE]

Sponsored post

Confluence is a “remote-friendly team workspace” used by more than 75,000 customers, Atlassian said on its website. The platform competes with Microsoft SharePoint, Google Docs and other collaboration apps.

The vulnerability, tracked at CVE-2023-22515, was initially disclosed by Atlassian on Oct. 4 and has seen active exploitation, according to the company.

The flaw has received the maximum severity rating, 10.0 out of 10.0, from Atlassian.

The vulnerability “affects certain versions of Atlassian Confluence Data Center and Server, enabling malicious cyber threat actors to obtain initial access to Confluence instances by creating unauthorized Confluence administrator accounts,” the FBI and CISA said in their advisory Monday.

Threat actors “exploited CVE-2023-22515 as a zero-day to obtain access to victim systems and continue active exploitation post-patch,” the agencies said. “Atlassian has rated this vulnerability as critical; CISA, FBI, and MS-ISAC expect widespread, continued exploitation due to ease of exploitation.”

The agencies also encouraged hunting for suspicious activity on their networks in connection with the Confluence vulnerability.

Zane Bond, head of product at cybersecurity firm Keeper Security, agreed that the vulnerability warrants immediate patching.

This is due to the ease of exploitation with the vulnerability, Bond said in an email to CRN. Alternatively, organizations may want to consider taking the service offline until it can be updated, he said.