CVE-2023-22515: The Confluence Flaw That Hands Attackers the Keys to Your Kingdom

Atlassian confirmed that the flaw was being exploited in the wild prior to the patch being available, making this a true zero-day. The company also noted the involvement of a "known nation-state actor," though the specific group has not been publicly identified. CISA subsequently confirmed that the vulnerability is known to be used in ransomware campaigns, dramatically expanding the threat landscape beyond targeted espionage to include financially motivated cybercriminals. Importantly, Atlassian Cloud instances (those accessed via atlassian.net domains) are not affected — this vulnerability only impacts self-hosted Confluence Data Center and Server deployments.

Understanding the Vulnerability

At its core, CVE-2023-22515 is a broken access control vulnerability. When Atlassian Confluence is first installed, it goes through a setup wizard that allows an administrator to configure the application, including creating the first administrator account. This process is handled by a series of endpoints under the /setup/ path, most critically /setup/setupadministrator.action.

In a properly secured application, these setup endpoints should be permanently disabled or locked down after the initial configuration is complete. However, in affected versions of Confluence Data Center and Server (8.0.0 through 8.5.1), these endpoints remain accessible to unauthenticated users — even on a fully configured, production instance that has been running for months or years.

The Attack Chain

The exploitation of this vulnerability is alarmingly straightforward, which is why researchers and analysts consistently describe its exploitability as trivial:

1. Reconnaissance: The attacker identifies a publicly accessible Confluence Data Center or Server instance running a vulnerable version (8.0.0 through 8.5.1). This can be done through simple internet scanning using tools like Shodan or Censys.
2. Exploitation: The attacker sends a crafted HTTP POST request to the unprotected setup endpoint at /setup/setupadministrator.action. This request contains the details for a new user account — a username, password, and email address of the attacker's choosing.
3. Privilege Escalation: The Confluence application processes this request as if it were a legitimate part of the initial setup process. It creates the new user account and adds it to the confluence-administrators group, granting it full administrative privileges.
4. Takeover: The attacker uses the newly created administrator credentials to log into the Confluence instance. At this point, they have complete and persistent control over the entire platform — every space, every page, every attachment, every user credential, and every configuration setting.

No authentication is required. No user interaction is needed. No special conditions beyond network accessibility must be met. The entire attack can be automated and executed in seconds.

Root Cause

The root cause is an improper access control mechanism on the /setup/* endpoints. These endpoints, intended exclusively for the initial product setup workflow, were not adequately restricted to prevent access after the setup had been completed. This is classified under CWE-20 (Improper Input Validation) by CISA, while other analysts have mapped it to CWE-284 (Improper Access Control) and CWE-288 (Authentication Bypass Using an Alternate Path or Channel). Regardless of the specific CWE classification, the fundamental problem is the same: a critical administrative function was left exposed to the unauthenticated internet.

Who Is Affected

Key points about scope:

• Versions prior to 8.0.0 are NOT affected. If you are running Confluence 7.x or earlier, you are not vulnerable to this specific flaw.
• Atlassian Cloud instances are NOT affected. If your Confluence site is accessed via an atlassian.net domain, it is hosted by Atlassian and is not vulnerable.
• The vulnerability affects both Confluence Data Center and Confluence Server products across a wide range of versions spanning from 8.0.0 to 8.5.1.

Atlassian Confluence is one of the most popular enterprise wiki and collaboration platforms in the world, used by tens of thousands of organizations — from Fortune 500 companies to government agencies to small businesses — to store internal documentation, project plans, technical specifications, HR policies, and other sensitive corporate knowledge. Many of these instances are accessible from the public internet to support distributed and remote workforces, making them prime targets for this type of attack.

Real-World Risk

Active Exploitation Confirmed

This is not a theoretical vulnerability. Atlassian confirmed that the flaw was being actively exploited in the wild before the patch was released on October 4, 2023, making it a zero-day at the time of disclosure. The company specifically noted the involvement of a "known nation-state actor," though the specific threat group has not been publicly attributed.

On October 5, 2023 — just one day after public disclosure — CISA added CVE-2023-22515 to its Known Exploited Vulnerabilities (KEV) catalog, confirming active exploitation and mandating that federal agencies remediate the vulnerability. CISA further confirmed that the vulnerability is known to be used in ransomware campaigns, meaning financially motivated threat actors have added this exploit to their arsenal alongside nation-state operators.

CVSS 10.0 — Maximum Severity

The vulnerability carries the maximum possible CVSS v3 base score of 10.0, with a vector string of CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H. Breaking this down:

• Attack Vector: Network — exploitable remotely over the internet
• Attack Complexity: Low — no special conditions or race conditions required
• Privileges Required: None — completely unauthenticated
• User Interaction: None — no victim action needed
• Scope: Changed — the compromise extends beyond the vulnerable component
• Confidentiality, Integrity, Availability Impact: High — total compromise across all three pillars

What Attackers Can Do

Once an attacker has created an unauthorized administrator account, the consequences are severe and wide-ranging:

• Complete Data Exfiltration: Access to every page, space, attachment, and comment in the Confluence instance. This often includes intellectual property, strategic plans, technical documentation, API keys, credentials, and Personally Identifiable Information (PII).
• Malicious Plugin Installation: Administrators can install Confluence plugins, which execute with server-level privileges. Attackers can use this to deploy webshells, backdoors, cryptominers, or ransomware directly on the server.
• Credential Harvesting: Access to user account information, session data, and any credentials stored within Confluence pages (a disturbingly common practice in many organizations).
• Lateral Movement: A compromised Confluence server, which typically has network connectivity to internal databases, authentication systems, and other enterprise infrastructure, provides an ideal pivot point for moving deeper into the corporate network.
• Persistent Access: Even after the vulnerability is patched, any administrator accounts created by attackers remain active. Upgrading does not remove a compromise that has already occurred.
• Denial of Service: User reports from the Atlassian Jira tracker indicate that repeated exploitation attempts — even unsuccessful ones — can cause the Confluence instance to become unstable, redirecting users to a finishsetup.action page and effectively rendering the platform unusable until restarted.

What You Should Do

1. Upgrade Immediately (Highest Priority)

The only complete remediation for CVE-2023-22515 is upgrading to a patched version of Confluence Data Center or Server:

• 8.3.3 or later (for the 8.3.x branch)
• 8.4.3 or later (for the 8.4.x branch)
• 8.5.2 or later (Long Term Support release, recommended)

Patched versions were released on October 3-4, 2023, and are available from the Atlassian Confluence download archives (https://www.atlassian.com/software/confluence/download-archives).

2. Apply Workarounds If You Cannot Patch Immediately

If an immediate upgrade is not possible, apply one or more of the following workarounds:

Option A: Restrict External Network Access (Most Effective)

Block all external network access to your Confluence instance until the upgrade can be completed. This is the most effective interim mitigation, as it eliminates the attack surface entirely. The obvious trade-off is that legitimate external users will lose access.

Option B: Block Access to /setup/* Endpoints

If the instance must remain publicly accessible, block requests to the /setup/* URL path. This can be done at the network layer using a Web Application Firewall (WAF) or reverse proxy rule, or by modifying the Confluence application configuration directly.

To apply the web.xml workaround, edit the file at <confluence-install-dir>/confluence/WEB-INF/web.xml on each node in your deployment and add the following security constraint just before the closing </web-app> tag:

After saving the file, restart the Confluence service on each node.

Important caveats about this workaround:

• This workaround is partial. It prevents the creation of an administrator account but does not prevent attackers from making continuous exploitation attempts, which user reports on the Atlassian Jira tracker confirm can cause a Denial of Service (DoS) condition.
• It also blocks legitimate setup actions, such as initial setup or migration between deployment types.
• It is not a substitute for upgrading.

Option C: Additionally Block /server-info.action

Based on user reports from active exploitation incidents documented in the Atlassian Jira ticket (CONFSERVER-92475), it is also recommended to block access to /server-info.action at a reverse proxy or network firewall level as a supplementary hardening measure.

3. Hunt for Indicators of Compromise

This step is critical regardless of whether you have already patched. If your Confluence instance was publicly accessible at any point while running a vulnerable version, you must assume potential compromise and investigate. Remember: upgrading does not remove an attacker's existing access.

Check for these Indicators of Compromise (IoCs):

• Unexpected or newly created user accounts, especially those in the confluence-administrators group
• Unknown or unexpected members added to the confluence-administrators group
• Unknown or newly installed Confluence plugins or add-ons
• Unexpected changes to Confluence content or configuration settings
• Unauthorized emails being sent from the Confluence instance to internal personnel

Review these log sources:

• Network access logs (Apache, Nginx, reverse proxy, load balancer, or Tomcat access logs): Search for any requests to /setup/*.action from untrusted or unexpected IP addresses.
• Confluence security logs: Check the atlassian-confluence-security.log file in the Confluence home directory for exception messages related to the exploit. A telltale entry indicating an exploitation attempt looks like:

This specific log message indicates that an attacker attempted to create the confluence-administrators group (which already exists on a configured instance), confirming that the setup endpoint was accessed maliciously.

4. Activate Incident Response If Compromise Is Found

If any of the above indicators are present:

• Immediately shut down the Confluence instance and disconnect it from the network.
• Do not simply upgrade — the attacker's administrator account, any installed backdoors, and any other changes will persist through an upgrade.
• Engage your security incident response team to determine the full extent of the breach.
• Contact Atlassian Support for assistance with recovery procedures.
• Preserve all logs and forensic artifacts for investigation.
• Assume all data in Confluence has been accessed and begin your data breach notification process if applicable.

The Bigger Picture

CVE-2023-22515 is a stark reminder of several persistent challenges in enterprise security. First, it underscores the danger of exposing powerful enterprise collaboration platforms directly to the internet without robust access controls and network segmentation. Confluence instances, by their very nature, contain some of an organization's most sensitive intellectual property and internal communications — making them extraordinarily high-value targets.

Second, this vulnerability highlights the risk inherent in setup and administrative bootstrapping mechanisms in web applications. The pattern of initial setup endpoints remaining accessible after configuration is a recurring vulnerability class that has affected numerous products over the years. Developers and security teams should treat any endpoint capable of creating administrative accounts as one of the most security-critical surfaces in their application and ensure it is definitively disabled after first use.

Third, the confirmed involvement of both nation-state actors and ransomware operators demonstrates the convergence of the threat landscape. A vulnerability of this severity and simplicity will be exploited by every tier of adversary — from sophisticated intelligence services to opportunistic criminal gangs running automated scanning campaigns.

Finally, for organizations still running self-hosted Confluence instances, this event should prompt a serious conversation about the security trade-offs of self-managed infrastructure versus cloud-hosted alternatives. Atlassian Cloud instances were completely unaffected by this vulnerability, a point the vendor has been careful to emphasize.

Nearly two and a half years after the initial disclosure, any Confluence Data Center or Server instance that remains unpatched against CVE-2023-22515 should be considered not just vulnerable, but almost certainly already compromised. The window for proactive defense closed long ago. If you have not yet patched, the question is not whether you have been attacked — it is whether you have detected the intrusion.