NAVANEM
CVE-2023-22515⚡ exploited in the wild

Atlassian Confluence Data Center & Server, privilege escalation to admin

Atlassian has been made aware of an issue reported by a handful of customers where external attackers may have exploited a previously unknown vulnerability in publicly accessible Confluence Data Center and Server instances to create unauthorized Confluence administrator accounts and access Confluence instances.

Overview

CVE-2023-22515 is a critical broken access control vulnerability affecting Atlassian Confluence Data Center and Server. The flaw allows an unauthenticated remote attacker to create unauthorized administrator accounts on publicly accessible Confluence instances. This vulnerability was mass-exploited in the wild starting in September 2023, prior to public disclosure. Microsoft Threat Intelligence attributed the initial exploitation to Storm-0062 (also known as DarkShadow), a China-linked threat actor. Following public disclosure, the vulnerability was rapidly weaponized by multiple ransomware affiliates.

Technical Details

The vulnerability exists in the Confluence setup-flow endpoint, which remains accessible even after the instance has been fully configured. Under normal circumstances, the setup wizard should only be available during initial installation. However, due to this flaw, an unauthenticated network attacker can access the /setup/ endpoint on a running, configured Confluence instance and walk through the setup wizard process. This allows the attacker to create a new administrator account without any authentication, effectively bypassing all access controls.

The attack requires only network access to the vulnerable Confluence instance-no prior authentication, user interaction, or special privileges are needed. This makes exploitation trivial for any attacker who can reach the Confluence server over the network.

Impact

Successful exploitation grants the attacker full administrative access to the Confluence instance. Given that Confluence typically stores sensitive organizational data including documentation, runbooks, customer information, IT credentials, and internal policies, the impact is severe. An attacker with admin privileges can:

  • Read and exfiltrate all wiki content
  • Add malicious macros for further exploitation and persistence
  • Pivot to other systems using AD-integrated credentials
  • Modify or delete critical documentation
  • Establish backdoor accounts for persistent access

Atlassian rated this vulnerability as critical, and real-world exploitation resulted in significant breaches across multiple organizations.

Mitigation

  1. Patch immediately to fixed Confluence versions: 8.3.3, 8.4.3, 8.5.2, or later
  2. If patching is delayed, block external access to /setup/ endpoints
  3. Audit the Confluence administrator user list for any unauthorized additions
  4. Migrate off Confluence Server (reached end-of-life February 2024) to Data Center, which receives ongoing security fixes
  5. Restrict network access to Confluence instances where possible

Detection

Organizations should review Confluence admin user lists for any accounts created without authorization, particularly those created around September-October 2023. Monitor access logs for requests to /setup/ endpoints from external IP addresses. Review authentication logs for newly created administrator accounts and investigate any suspicious admin-level activity.