Urgent Vulnerability Notice: Atlassian Confluence Critical Hardcoded Password Vulnerability Under Active Exploitation

What You Need to Know:

A hardcoded credentials vulnerability was found in the Questions for Confluence app and is under active exploitation. The vulnerability allows remote, unauthenticated attackers that know the hardcoded password for specific accounts in the app, to gain access to non-restricted pages in Confluence.

CVE-2022-26138 was observed to be under active exploitation by Rapid7 and affects several on-premises Confluence products, including:

• Confluence Server
• Confluence Data Center

The vulnerability was patched by Atlassian last week but was not being exploited by attackers at that time. However, once the hardcoded password was released on social media, attackers quickly sprang into action. Although the vulnerability only exists when the Questions for Confluence app is enabled on the below affected versions, we urge that you patch immediately. See the affected versions below:

• Questions for Confluence 2.7.x
• 2.7.34
• 2.7.35
• Questions for Confluence
• 3.0.x
• 3.0.2

According to Rapid 7, If an attacker successfully exploits CVE-2022-26138, they will be able to create a user account with a hardcoded password and add the account to a user group, allowing access to all non-restricted pages in Confluence. Ultimately, the attacker will be able to browse an organization’s Confluence.

Please keep in mind that although the vulnerability stems from the disabledsystemuser account, which helps administrators migrate data from the app to the Confluence cloud, CVE-2022-26138 does not impact the Confluence Cloud instance. If your organization uses on-premises Confluence, following Atlassian’s guidance on patching is the best option.

Towerwall Recommendations:

• Simply uninstalling the app will not remediate the flaw. Towerwall recommends that organizations immediately follow Atlassian’s patching and mitigation guidance which can be found here.
• Atlassian recommends that organizations refer to the following document to determine if anyone has successfully exploited CVE-2022-26138: Evidence of Exploitation.

Indicators of Compromise (IoCs):

• According to Atlassian, the following have been identified as sources of malicious activity:

  • User: disabledsystemuser
  • Username: disabledsystemuser

  Email: dontdeletethisuser@email[.com]

Supporting Documentation:

• Questions For Confluence Security Advisory 2022-07-20 | Confluence Data Center and Server 7.18 | Atlassian Documentation 
• Active Exploitation of Atlassian’s Questions for Confluence App CVE-2022-26138 | Rapid7 Blog 
• Atlassian Confluence Hardcoded Credentials Bug Actively Exploited | Decipher (duo.com) 

If you have any questions about this vulnerability or your information security needs, please contact me directly at 774-204-0700.