CVE-2022–26134: Zero-day remote code execution vulnerability affecting Confluence Server and Data Center

Eli Cyber Security
3 min readJun 3, 2022

Information security specialists at Volexity have discovered a remote code execution (RCE) vulnerability that resides in the latest, fully patched versions of the Atlassian Confluence Server. Tracked as CVE-2022–26134, the flaw has already been notified to the company.

The researchers described it as a zero-day flaw in Confluence Server and Data Center. Volexity does not plan to publish its proof of concept (PoC), as Atlassian has not issued an official patch yet. The flaw was discovered when researchers identified suspicious activity on their Atlassian Confluence servers, being able to verify that the error exists because a threat actor launched an RCE exploit against their infrastructure.

In continuing its investigation, Volexity identified bash shells launched from Confluence’s web application processes: “We believe that the attacker launched a single exploit attempt on each of the Confluence server systems, which in turn loaded a malicious class file into memory. This allowed the threat actor to effectively have a webshell that they could interact with through subsequent requests.”

A successful attack would allow actors to facilitate access to the affected server and execute commands without the need to use a backdoor on the compromised system disk or redeploy an attack whenever hackers wish to access the target system.

At the moment there is no list of all the versions of Confluence Server affected, although the researchers assure that the flaw can be exploited even in implementations with the latest patches installed. Simply put, it is likely that all versions in use of Confluence Server can be exploited.

Successful attacks would allow hackers to deploy a copy in the BEHINDER implant memory and thus access memory-only webshells and built-in support for interaction with tools such as Meterpreter and Cobalt Strike. This is a functional attack method, not to mention that it does not require writing files to the target disk and does not allow persistence, so restarting the system will remove any traces of the attack.

When the BEHINDER implant is deployed, threat actors use the in-memory webshell to deploy two additional webshells to disk.

Active security risk

As mentioned above, the vulnerabilities have not been fixed by Atlassian, so administrators of affected deployments are advised to consider some alternative security measures. Volexity’s recommendations include:

  • Restrict access to Confluence Server and Data Center instances from the Internet
  • Disable Confluence Server and Data Center instances

For users who cannot apply any of these recommendations, we recommend that you implement a Web Application Firewall (WAF) rule to block URLs with the characters ${, which should reduce the risk of attack.

In addition to these recommendations, Atlassian Confluence administrators can apply the following actions:

  • Block external access to Confluence Server and Data Center systems
  • Verify that Internet-facing web services have robust monitoring capabilities and log retention policies
  • Sending relevant log files from Internet-connected web servers to a SIEM or Syslog server

Feel free to access the International Institute of Cyber Security (IICS) websites to learn more about information security risks, malware variants, vulnerabilities, and information technologies.

Originally published at on June 3, 2022.