Atlassian customers are being urged to immediately update their on-premises Confluence Server and Data Center products to fix a critical vulnerability that lets an unauthenticated user inject code to steal data, deploy malware and escalate privileges.

Confluence is enterprise software used by teams to manage and collaborate on projects. It can be licensed either in the cloud or on-premises. The vulnerability, named CVE-2021-26084, does not affect Confluence Cloud customers.

Sydney, Australia-headquartered Atlassian made its security advisory public on 25 August. Since then, cybersecurity experts have seen the Confluence vulnerability being exploited in the wild, including the deployment of cryptocurrency mining malware. Threat intelligence firm Bad Packets said it has “detected mass scanning and exploit activity” against Confluence from hosts in Brazil, China, Hong Kong, Nepal, Romania, Russia and the US.

On Friday, US Cyber Command said “mass exploitation” of the Atlassian Confluence vulnerability is “ongoing and expected to accelerate”.

The cybersecurity agency added: “Please patch immediately if you haven’t already— this cannot wait until after the weekend.”

The US Cybersecurity and Infrastructure Security Agency (CISA) echoed the message in an advisory, urging IT teams to “immediately apply the necessary updates”.

The vulnerability affects Confluence Server and Data Center versions before version 6.13.23, from version 6.14.0 before 7.4.11, from version 7.5.0 before 7.11.6, and from version 7.12.0 before 7.12.5.

Atlassian has recommended that customers running an affected version upgrade to version 7.13.0 (LTS) or higher.

Those unable to upgrade immediately can run a script for Windows or Linux operating systems.

Jarno Niemela, principal researcher at F-Secure told Verdict that successful exploitation of the vulnerability would allow the attacker to “in theory” do everything that the compromised server can. 

That includes “stealing all content from said server, laterally moving from the server with traditional network hacking, phishing passwords from users, or laterally moving by fooling users to execute content. Or anything else the attacker has the skills and tools for.” 

Initially, Atlassian said the vulnerability was only exploitable by authenticated users. It has since said that this is incorrect and that a valid account is not needed to exploit the security flaw.

“There is no way to put this lightly: this is bad,” wrote Mark Ellzey, senior security research at Censys, in a blog post.

According to Censys, the number of vulnerable Confluence instances has been on the decline – but there are still a large number open to attack.

“Over the last few days, Censys observed the number of vulnerable Confluence instances drop from 11,689 to 8,597 – a 3,092 difference since 2 September, and a total of 5,965 since the vulnerability was made public on 25 August,” the company said.

Atlassian said it was an Object-Graph Navigation Language vulnerability that “would allow an unauthenticated user to execute arbitrary code on a Confluence Server or Data Center instance”.

Censys added that it is the “same class of vulnerability” used in the Equifax breach in 2017, which resulted in hackers stealing over 146 million customer records from the credit score company.

The Atlassian Confluence vulnerability was discovered by security researcher Benny Jacob, also known as ‘SnowyOwl’, via the company’s bug bounty programme.

Joseph Carson, chief security scientist at ThycoticCentrify told Verdict that “today is probably a good time to stop and check your patch status”.

He added: “Privilege compromise is an extremely severe security issue, it should be a top priority to patch vulnerable systems, take privilege access seriously and apply the principle of least privileged with a strong privilege access management solution.”