A new critical Confluence RCE stopped being news. That's the problem.

There’s a grimly familiar rhythm to Atlassian Confluence security: a critical, usually unauthenticated, remote-code-execution bug drops; a proof-of-concept appears within days; mass scanning and exploitation follow within hours of that; ransomware and nation-state actors pile in. It has happened enough times that “new critical Confluence RCE” barely registers as news anymore, and that desensitization is itself the risk. The Known Exploited Vulnerabilities catalog holds a run of these: CVE-2022-26134, CVE-2023-22515, CVE-2023-22518, and CVE-2023-22527, plus older bugs like the pre-auth file read CVE-2021-26085. If you run Confluence Server or Data Center exposed to the internet, you’re operating one of the most reliably-targeted applications in the catalog.

The run

• CVE-2022-26134 (OGNL injection, unauth RCE, CVSS 9.8). Volexity found it as a zero-day in June 2022. Confluence’s use of the Object-Graph Navigation Language let an attacker inject an expression that executed code. Mass exploitation was near-immediate, by everyone from cryptominers to Cl0p.
• CVE-2023-22515 (broken access control). In October 2023, attackers, including the China-linked Storm-0062, abused it to create unauthorized administrator accounts, a path to full control, with the Effluence backdoor observed for persistence.
• CVE-2023-22518 (improper authorization). Disclosed November 2023, it allowed unauthenticated attackers to reset/destroy Confluence data and, in chained use, achieve more; the Cerber ransomware operation jumped on it.
• CVE-2023-22527 (template/OGNL injection, CVSS 10, unauth RCE). In January 2024, Shadowserver reported tens of thousands of exploitation attempts from hundreds of IPs within days of disclosure.

Read together, the throughline is clear: Confluence’s expression-language and access-control handling has been a recurring source of unauthenticated, high-severity bugs, and the time from disclosure to mass exploitation is consistently measured in hours to days.

Why it keeps happening, and what to take from it

Two factors compound. First, Confluence is a high-value target: it’s a knowledge base that organizations fill with internal documentation, credentials, architecture diagrams, and runbooks, often the exact information an attacker wants, and it frequently sits internet-facing for remote staff. Second, the on-premise Server and Data Center products carry a complex, OGNL-heavy codebase where expression-injection bugs keep surfacing. The combination, valuable data plus a bug-prone exposed app, is why it draws sustained attention.

The takeaway isn’t to track each CVE as a surprise; it’s to treat Confluence as a known repeat target and posture accordingly:

• If it’s internet-facing, that’s the first thing to fix. The single highest-value control is to not expose Confluence Server/Data Center directly to the internet. Put it behind VPN or SSO-enforced access. Most of the mass-exploitation events hit publicly-reachable instances.
• Patch on an emergency cadence, not a maintenance window. Given the disclosure-to-exploitation speed, Confluence updates should be treated like perimeter-device patches: apply immediately, and watch Atlassian’s advisories actively.
• Consider the migration question. Atlassian ended sales of new Server licenses and is steering customers to Cloud or Data Center. For organizations that can move to Cloud, that shifts this patching burden to the vendor; for those staying on Data Center, the emergency-patch discipline is non-negotiable.
• Assume compromise on any instance that was exposed and behind on patches. Across these CVEs the post-exploitation included web shells, rogue admin accounts, the Effluence backdoor, and ransomware. Hunt for unexpected admin accounts, unfamiliar plugins/web shells, and the Confluence process spawning shells, and rotate credentials the instance held.

The reframe is to stop being surprised. When a product has been mass-exploited four times in two years through the same general weakness, the rational response isn’t to react to each new CVE from scratch; it’s to assume the next one is coming and make sure your Confluence isn’t sitting on the internet waiting for it. Get it behind access controls, patch it like it’s under attack (because it periodically is), and decide deliberately whether you should still be running the on-prem product at all. We track the Confluence entries as one ongoing story, because that’s exactly how the attackers treat it.

Sources

• CISA Known Exploited Vulnerabilities Catalog
• Rapid7: Active exploitation of Confluence CVE-2022-26134 — 2022-06-02
• Help Net Security: Atlassian reveals critical Confluence RCE flaw, urges immediate action (CVE-2023-22527) — 2024-01-16
• Atlassian security advisories (Confluence Server/Data Center)
• Infosecurity Magazine: Hackers target Atlassian Confluence with RCE exploits — 2024