Zero-day Atlassian Confluence Vulnerability Being Actively Exploited by Multiple Threat Actors

A critical Atlassian Confluence zero-day vulnerability is being actively exploited by multiple threat actors. At present, there is no patch available to fix the flaw. The vulnerability is tracked as CVE-2022-26134 and is a remote code execution vulnerability that affects all versions of Confluence Server and Data Center. The vulnerability does not affect Atlassian Cloud.

Atlassian said it is aware that the vulnerability is being exploited on Confluence Server 7.18.0, most likely by threat actors based in China. Atlassian is currently working on a patch to fix the vulnerability and expects to release it on Friday, June 3, 2022.

Since there is currently no patch available, the only ways of mitigating the flaw are to either disconnect Confluence Server and Data Center from the Internet or to disable Confluence Server and Data Cent instances, which could cause disruption for remote workers.

The vulnerability was discovered over the Memorial Day weekend by the cybersecurity firm Volexity whilst conducting incident response. Volexity disclosed the vulnerability to Atlassian on May 31, 2022, after reproducing the exploit against the current Confluence Server version. In the attack identified by Volexity, the vulnerability was exploited to install the BEHINDER JSP web shell, which allowed the attackers to remotely execute commands on the compromised server.

BEHINDER was used to install the China Chopper web shell and a file upload tool. The attackers executed a variety of commands on the compromised server to perform reconnaissance and access Confluence databases. They also performed actions to delete traces of the malicious activity, including removing access logs and other evidence of the compromise.

“BEHINDER provides very powerful capabilities to attackers, including memory-only web shells and built-in support for interaction with Meterpreter and Cobalt Strike,” explained Volexity. Volexity has published indicators of compromise (IoC) and other information that can be used by security teams to identify and block exploitation of the vulnerability.

Author: Richard Anderson

Richard Anderson is the Editor-in-Chief of