CVE-2023-22527

What is Atlassian Confluence?

Atlassian Confluence is a widely deployed enterprise wiki and collaboration platform used by organizations worldwide to store documentation, project plans, architecture designs, security procedures, and sensitive business information. Confluence Data Center and Server are the self-hosted versions, accessible over the internet for many organizations to enable remote access. Confluence's OGNL (Object-Graph Navigation Language) template engine is a powerful expression language that allows dynamic page content — and which has been the source of multiple critical RCE vulnerabilities when attacker-controlled input reaches the OGNL evaluator.

Overview

CVE-2023-22527 is the most severe Confluence vulnerability of the 2023-2024 period: an unauthenticated OGNL template injection vulnerability affecting all Confluence 8.x versions before 8.5.4. A single POST request to a Confluence endpoint with a crafted OGNL expression achieves arbitrary code execution as the Confluence service user — with no authentication required. Mass exploitation began within 24 hours of disclosure. CISA added it to KEV within 8 days, and ransomware groups incorporated it into their initial access toolkit.

Affected Versions

Technical Details

CWE-74 (Injection). The vulnerability is a server-side template injection in Confluence's OGNL expression evaluator. Confluence allows certain endpoints (including template-related functionality) to process OGNL expressions embedded in request parameters. A flaw in the input validation allows an unauthenticated attacker to inject OGNL expressions that are evaluated by the Confluence server with the full capabilities of the OGNL runtime — including Java reflection, class loading, and OS command execution.

The attack is a single unauthenticated HTTP POST request to the vulnerable endpoint containing an OGNL payload. Successful exploitation executes arbitrary Java and OS commands as the user running the Confluence process (typically a dedicated service account). Common post-exploitation steps observed in campaigns include:

• Deploying web shells for persistent access
• Installing Cobalt Strike beacons or similar C2 frameworks
• Credential harvesting from the Confluence database (user password hashes)
• Lateral movement using Confluence service account credentials

Discovery

Discovered and responsibly reported to Atlassian. Within 24 hours of Atlassian's January 16 advisory, GreyNoise and Rapid7 recorded hundreds of unique IP addresses attempting exploitation — confirming immediate mass scanning and exploitation campaigns by criminal and nation-state actors.

Exploitation Context

CVE-2023-22527 was rapidly incorporated by multiple threat actor categories:

• Ransomware groups: Used as initial access for ransomware deployment, particularly targeting unpatched internet-facing Confluence instances
• Cryptomining campaigns: Automated exploitation to deploy cryptocurrency miners
• Nation-state actors: Targeted exploitation for espionage access to Confluence knowledge bases

The extremely short exploitation window — mass exploitation within 24 hours of disclosure — reflects Confluence's desirability as a target (source code, architecture documentation, credentials in wiki pages) and the trivial exploitation complexity (single unauthenticated POST request). Organizations running Confluence 8.x that hadn't patched by January 17, 2024 should treat their instances as potentially compromised.

Remediation

1. Upgrade to Confluence 8.5.4 or later (for long-term supported 8.5.x) or 8.6.0+ immediately.
2. If immediate upgrade is not possible: restrict internet access to Confluence completely — the unauthenticated attack vector means any internet-accessible Confluence 8.x is at risk.
3. Organizations running vulnerable versions between January 16 and patch application should perform a forensic review: check for web shells, unexpected processes, new admin accounts, and evidence of lateral movement.
4. Review Confluence access logs for POST requests to template-related endpoints from external IPs around the disclosure date.
5. Audit Confluence for sensitive data that may have been exfiltrated: source code links, credentials stored in wiki pages, architecture diagrams — and rotate any credentials that were accessible via Confluence.
6. Consider migrating to Confluence Cloud where patching is handled by Atlassian, eliminating the self-hosted patch lag that enabled this mass exploitation window.