CVE-2023-22515

What is Atlassian Confluence?

Atlassian Confluence is a widely used enterprise wiki and collaboration platform where organizations store internal documentation, project plans, product specifications, security policies, and sensitive business information. Confluence Data Center and Server are the self-hosted versions, deployed by enterprises, government agencies, and technology companies. Because Confluence serves as an internal knowledge base, unauthorized admin access provides an attacker with persistent access to read, modify, or delete all organizational documentation — and the ability to pivot from Confluence to other Atlassian tools (Jira, Bitbucket) and connected systems via the same SSO credentials.

Overview

CVE-2023-22515 is a critical broken access control vulnerability in Atlassian Confluence Data Center and Server that allows an unauthenticated remote attacker to create unauthorized Confluence administrator accounts by exploiting a flaw in Confluence's setup/initialization endpoint. Atlassian disclosed it as a zero-day already being actively exploited on October 4, 2023, with patches available on the same day. CISA added it to KEV the following day with an 8-day remediation deadline. Microsoft confirmed active exploitation by Storm-0062 — a China-nexus threat actor — before the patch was available.

Affected Versions

Technical Details

CWE-284 (Improper Access Control). The vulnerability exists in Confluence's initial setup flow — specifically the /setup/setupadministrator.action endpoint (and related setup URLs). When Confluence is fully installed and configured, these setup endpoints are supposed to be blocked. A flaw in the access control check allows the endpoints to remain accessible to unauthenticated users on externally accessible instances. An attacker can POST to the setup endpoint with crafted parameters to create a new Confluence administrator account with arbitrary credentials, then log in and take full control of the Confluence instance.

Once authenticated as a Confluence administrator, the attacker has unrestricted access to all spaces, pages, and attachments; can install or enable Confluence plugins (a common path to RCE via plugin-based webshells); and can harvest credentials, API tokens, and sensitive data stored in Confluence pages.

Discovery

First observed by Atlassian's security team as active exploitation in the wild before the patch was available. Microsoft Threat Intelligence (MSTIC) attributed exploitation to Storm-0062, also known as DarkShadow or Oro0lxy — a China-nexus threat actor focused on corporate espionage and intellectual property theft. Storm-0062 was actively exploiting CVE-2023-22515 as a zero-day at least four days before Atlassian's October 4 disclosure.

Exploitation Context

Confluence is a primary target for espionage-motivated threat actors because it contains concentrated organizational knowledge: source code documentation, architecture diagrams, security procedures, personnel information, and proprietary research. Storm-0062's rapid weaponization of this zero-day reflects their systematic targeting of Atlassian products as a primary attack surface for corporate and government espionage.

Following the initial zero-day exploitation by Storm-0062, the vulnerability was rapidly adopted by ransomware operators (ransomwareUse: true in CISA's catalog) — public Confluence instances are easily discoverable via Shodan/Censys, making them targets for mass exploitation campaigns by financially-motivated actors who can encrypt Confluence databases for ransom.

Remediation

1. Apply Confluence patches immediately (8.3.3+, 8.4.3+, 8.5.2+) — if immediate patching is not possible, restrict network access to block all external access to Confluence.
2. If running a vulnerable version, treat your Confluence instance as potentially compromised even if no active compromise is detected — zero-day exploitation preceded public disclosure.
3. Check for unauthorized administrator accounts: Confluence admin → User Management → look for recently created admin accounts with unfamiliar usernames.
4. Review Confluence access logs for POST requests to /setup/* or /bootstrap/* endpoints from external IPs — these indicate exploitation attempts.
5. Check for installed or enabled Confluence plugins that were not installed by your team — attackers use plugin installation as a path to persistent code execution.
6. Isolate Confluence from public internet access — Confluence should be accessible only via VPN, not directly internet-facing.