What is Atlassian Confluence?
Atlassian Confluence is a widely used enterprise collaboration platform storing organizational documentation, project plans, and sensitive business information in self-hosted Data Center and Server deployments. Confluence serves as a central knowledge repository for organizations in technology, finance, healthcare, and government sectors. The self-hosted versions include backup/restore functionality designed for disaster recovery — and it is this restore functionality that CVE-2023-22518 exposes to unauthenticated attackers.
Overview
CVE-2023-22518 is a critical improper authorization vulnerability in Atlassian Confluence Data Center and Server that allows an unauthenticated remote attacker to invoke the instance's restore functionality, effectively wiping the Confluence database and resetting the instance to an initial state. Unlike CVE-2023-22515 (which enables unauthorized admin account creation), this vulnerability does not allow data exfiltration — but enables complete data destruction and instance takeover via the restored-from-scratch administrative setup. Cerber ransomware operators exploited this vulnerability days after disclosure to wipe Confluence instances and encrypt the backup files, demanding ransom for decryption.
Affected Versions
| Product | Vulnerable | Fixed |
|---|---|---|
| Confluence Data Center and Server | 1.0.0 – 7.19.15 | 7.19.16 |
| Confluence Data Center and Server | 8.0.0 – 8.3.3 | 8.3.4 |
| Confluence Data Center and Server | 8.4.0 – 8.4.3 | 8.4.4 |
| Confluence Data Center and Server | 8.5.0 – 8.5.2 | 8.5.3 |
| Confluence Cloud | Not affected | N/A |
Technical Details
CWE-863 (Incorrect Authorization). The Confluence backup/restore mechanism includes endpoints (/json/setup-restore.action and related paths) that are improperly protected. These endpoints are intended to be accessible only during initial Confluence setup, but a flaw in the authorization check leaves them accessible to unauthenticated users on live instances. An attacker can POST a request to these endpoints to trigger a restore operation — either restoring from a previously uploaded file or initiating a database reset that destroys the existing Confluence content.
The restore operation wipes all Confluence spaces, pages, and user data. After the reset, the instance is in a "new install" state that requires re-running setup — which, combined with CVE-2023-22515 (admin account creation via setup endpoint), could allow the attacker to take full control of the reset instance. In ransomware attacks, operators exploited this to destroy Confluence content and then encrypt any backup files found on the server, maximizing leverage for extortion.
The CVSS note in the original advisory clarifies that there is no confidentiality impact in isolation (C:H in the vector reflects the combined impact with available chaining) — the standalone vulnerability impacts integrity and availability (data destruction) rather than data theft.
Discovery
Identified by Atlassian's security team, which proactively notified customers of the vulnerability and recommended immediate patching before active exploitation was confirmed, citing intelligence suggesting imminent weaponization. This proactive warning was vindicated within days when Cerber ransomware operators began exploiting the vulnerability.
Exploitation Context
Cerber ransomware — a ransomware-as-a-service operation — began exploiting CVE-2023-22518 to target internet-exposed Confluence instances almost immediately after disclosure. The attack is operationally straightforward: discover exposed Confluence instances via Shodan/Censys, trigger the restore wipe, and encrypt any backup files stored on the server. Organizations without off-server backups faced complete loss of Confluence content. The combination of CVE-2023-22518 (data destruction) and CVE-2023-22515 (admin account creation) in the same Atlassian disclosure period created a compounding risk for unpatched Confluence deployments.
Remediation
- Apply Atlassian patches immediately — update to the fixed versions listed above.
- If immediate patching is not possible, block all external access to Confluence to eliminate the unauthenticated attack surface.
- Verify that Confluence restore endpoints (
/json/setup-restore.action,/setup/*) are inaccessible externally by testing from an external network after patching. - Ensure Confluence backups are stored off-server (separate storage location not accessible from the Confluence host) — ransomware operators target backup files on the same host.
- Audit recent access logs for POST requests to setup or restore endpoints from unexpected IPs — these indicate exploitation attempts.
- Consider isolating Confluence from public internet access entirely and requiring VPN for all access — Confluence contains sensitive organizational documentation that should not be directly internet-accessible.
Key Details
| Property | Value |
|---|---|
| CVE ID | CVE-2023-22518 |
| Vendor / Product | Atlassian — Confluence Data Center and Server |
| NVD Published | 2023-10-31 |
| NVD Last Modified | 2025-10-24 |
| CVSS 3.1 Score | 9.8 |
| CVSS 3.1 Vector | CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H |
| Severity | CRITICAL |
| CWE | CWE-863 find similar ↗ |
| CISA KEV Added | 2023-11-07 |
| CISA KEV Deadline | 2023-11-28 |
| Known Ransomware Use | ⚠️ Yes |
CVSS 3.1 Breakdown
Required Action
Timeline
| Date | Event |
|---|---|
| 2023-10-31 | Atlassian publishes CVE-2023-22518 and patches; warns of imminent exploitation based on intelligence |
| 2023-11-02 | Active exploitation confirmed — Cerber ransomware observed exploiting vulnerability to wipe and encrypt Confluence instances |
| 2023-11-07 | CISA adds to Known Exploited Vulnerabilities catalog |
| 2023-11-28 | CISA BOD 22-01 remediation deadline |
References
| Resource | Type |
|---|---|
| Atlassian Security Advisory — CVE-2023-22518 | Vendor Advisory |
| NVD — CVE-2023-22518 | Vulnerability Database |
| CISA KEV Catalog Entry | US Government |