A hardcoded credentials vulnerability was found in the Questions for Confluence app and is under active exploitation. The vulnerability allows remote, unauthenticated attackers that know the hardcoded password for specific accounts in the app, to gain access to non-restricted pages in Confluence.
CVE-2022-26138 was observed to be under active exploitation by Rapid7 and affects several on-premises Confluence products, including:
The vulnerability was patched by Atlassian last week but was not being exploited by attackers at that time. However, once the hardcoded password was released on social media, attackers quickly sprang into action. Although the vulnerability only exists when the Questions for Confluence app is enabled on the below affected versions, we urge that you patch immediately. See the affected versions below:
According to Rapid 7, If an attacker successfully exploits CVE-2022-26138, they will be able to create a user account with a hardcoded password and add the account to a user group, allowing access to all non-restricted pages in Confluence. Ultimately, the attacker will be able to browse an organization’s Confluence.
Please keep in mind that although the vulnerability stems from the disabledsystemuser account, which helps administrators migrate data from the app to the Confluence cloud, CVE-2022-26138 does not impact the Confluence Cloud instance. If your organization uses on-premises Confluence, following Atlassian’s guidance on patching is the best option.
INDICATOR'S OF COMPROMISE (IOCS):
According to Atlassian, the following have been identified as sources of malicious activity: