A new Atlassian Confluence zero-day vulnerability, known as CVE-2022-26134, is actively exploited by hackers to install web shells.
A security update released by Atlassian described the vulnerability as a critical, unauthorized RCE bug that was detected in both the Confluence Server and the Data Center.
The bug has been confirmed in Confluence Server 7.18.0. Confluence Server and Data Center 7.4.0 and higher are also vulnerable.
Atlassian is working on a patch to fix the vulnerability, but the company has advised customers to make their servers inaccessible. To do this, the company recommended users use one of two methods, which include restricting Confluences Server and Data Center instances from the internet or disabling Confluence Server and Data Center instances.
The vulnerability was discovered by researchers from the cybersecurity firm Volexity. The breach analyzed by Volexity saw threat actors install BEHINDER, a JSP web shell that allows them to remotely execute commands on the compromised server.
Since no patches are available, Volexity advise Confluence admins to disconnect their servers from the internet until Atlassian release releases a fix to address the vulnerability.
The sources for the flaw include an article in BleepingComputer.