Over 200K likely vulnerable Confluence Data Center instances exposed

Hundreds of thousands of likely vulnerable Atlassian Confluence Data Center and Confluence Server instances are exposed, mostly in the US, to attackers running code on them remotely.

A recently discovered vulnerability in two Atlassian products is allowing attackers to carry out remote code execution (RCE) attacks against impacted systems.

Tracked as CVE-2024-21683, the RCE-capable bug affects the Confluence Data Center and Confluence Server.

According to the Cybernews research team, since businesses utilize these services to help teams work together and share information, attackers could leverage the flaw to penetrate impacted systems and obtain data.

With a CVSS Score of 8.3, the flaw allows an authenticated attacker to execute arbitrary code, which has a high impact on confidentiality, high impact on integrity, high impact on availability, and requires no user interaction.

Exposed countries

How many Atlassian instances are exposed?

While Atlassian issued a fix for both impacted services, the team discovered that hundreds of thousands of vulnerable instances are exposed to the internet, enticing threat actors to take action.

Cybernews researchers discovered a whopping 224,962 Data Center and Server instances were exposed. Attackers can employ the same tools to discover impacted servers and leverage the recently discovered vulnerability for nefarious purposes.

For example, researchers claim attackers could utilize the bug for their first entry into a network or environment. With the initial foothold established, attackers can gain full control of the system, including the ability to install malware, access sensitive data, and manipulate system configurations.

“Compromised system can be used as a pivot point for further attacks within the network,” the team said.

The exposed instances also endanger regular users. Researchers believe that malicious actors could steal login credentials, which would allow them to penetrate Atlassian accounts and other accounts where the same credentials are reused.

According to the team, RCE bugs are a frequently employed attack vector for advanced ransomware gangs to gain initial entry points into target systems.

For example, last year, Cl0p, a prominent ransomware cartel, exploited a now-patched zero-day bug in Progress Software’s MOVEit Transfer software which allowed attackers to access and download the data stored there. Thousands of organizations and tens of millions of people were impacted, causing tens of millions of dollars in damage.

According to Ransomlooker, Cybernews’ ransomware monitoring tool, the average ransom demand stands at $5.3 million, making it crucial to fix any RCE-capable bugs as fast as possible.

Which countries are most affected?

A deep dive into the information about the exposed Data Center and Server services revealed that only five countries host half of the still vulnerable instances.

According to the team, the US harbors the largest number of likely vulnerable instances, 53,195. An additional 22,007 vulnerable instances are traced to Japan.

Meanwhile, South Africa, France, and Germany each host over 11,000 exposed unpatched Confluence services.

The team advises organizations exposed to the novel RCE bug to immediately upgrade Atlassian Confluence Server or Data Center to the latest version recommended by Atlassian.

Atlassian is an Australian-American software giant that provides products for developers and managers. The company employs over 10,000 staff and reported revenue exceeding $3.5 billion in 2023.

Project management platform Jira and enterprise software Confluence are the company’s flagship products.

The recent bug is hardly the first time Atlassian’s products have had to deal with critical vulnerabilities. In 2022, adversaries and nation-state actors took advantage of an RCE bug that impacted Atlassian’s Confluence.

More from Cybernews:

Gala Games recovers $22M of stolen crypto

Apple fixes bug that caused old photos to reappear

Humane AI founders are reportedly selling the company

German police warn of cyberattacks via Office 365

Zoom introduces quantum-safe encryption

Subscribe to our newsletter

Leave a Reply

Your email address will not be published. Required fields are markedmarked