CISA has added a critical Confluence vulnerability tracked as CVE-2022-26138 to its list of bugs abused in the wild, a flaw that can provide remote attackers with hardcoded credentials following successful exploitation.
As Australian software firm Atlassian revealed last week, unpatched versions of the Questions for Confluence app (installed on more than 8,000 servers) create an account with hardcoded credentials.
One day after patching the vulnerability, the company notified admins to fix their servers immediately, seeing that the hardcoded password had been found and shared online.
“This issue is likely to be exploited in the wild now that the hardcoded password is publicly known,” Atlassian warned, saying that threat actors could use the hardcoded credentials to log into vulnerable Confluence Server and Data Center servers.
Today, CISA added the CVE-2022-26138 to its catalog of Known Exploited Vulnerabilities (KEV) based on evidence of active exploitation.
Cybersecurity firm Rapid7 also published a report Wednesday warning the security flaw is now actively exploited in the wild but did not share any information on the attacks or indicators of compromise collected while investigating them.
“Unsurprisingly, it didn’t take long for Rapid7 to observe exploitation once the hardcoded credentials were released, given the high value of Confluence for attackers who often jump on Confluence vulnerabilities to execute ransomware attacks,” Rapid7’s Glenn Thorpe said.
Federal agencies given three weeks to secure servers
As a binding operational directive (BOD 22-01) issued in November says, all Federal Civilian Executive Branch Agencies (FCEB) agencies have to secure their systems against bugs added to CISA’s catalog of Known Exploited Vulnerabilities (KEV).
The cybersecurity agency has also given federal agencies three weeks (until August 19) to patch servers and block attacks targeting their networks.
Even though the BOD 22-01 directive only applies to US federal agencies, CISA also “strongly urges” organizations across the country to fix this flaw to thwart attacks against vulnerable Confluence servers.
“These types of vulnerabilities are a frequent attack vector for malicious cyber actors and pose significant risk to the federal enterprise,” the US cybersecurity agency added Friday.
Since this directive was issued, CISA has added hundreds of security bugs to its catalog of bugs exploited in attacks, ordering federal agencies to patch vulnerable systems as soon as possible to prevent breaches.
Securing Confluence servers is particularly important given that they’re attractive targets, as demonstrated by previous attacks with AvosLocker and Cerber2021 ransomware, Linux botnet malware, and crypto miners.