Cyber Resilience

CVE-2023-22515

CriticalCISA KEVActive ExploitationEUVD ExploitedPublic PoCRansomware-linked

Published: 04 October 2023

Published
04 October 2023
Modified
25 March 2026
KEV Added
05 October 2023
Patch
CVSS Score v3.1 9.8 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
EPSS Score 0.9433 100.0th percentile
Risk Priority 96 60% EPSS · 20% KEV · 20% CVSS

Summary

CVE-2023-22515 is a critical-severity Improper Input Validation (CWE-20) vulnerability in Atlassian Confluence Data Center. Its CVSS base score is 9.8 (Critical).

Operationally, ranked in the top 0.0% of CVEs by exploit likelihood; CISA has added it to the Known Exploited Vulnerabilities catalog; a public proof-of-concept is referenced.

The strongest mitigations our analysis identified are NIST 800-53 AC-2 (Account Management) and AC-3 (Access Enforcement).

Deeper analysis

CVE-2023-22515 is a critical unauthenticated vulnerability affecting publicly accessible Atlassian Confluence Data Center and Server instances. It enables external attackers to create unauthorized administrator accounts and subsequently access the Confluence instance. Atlassian Cloud sites hosted under atlassian.net domains are not impacted. The flaw carries a CVSS 3.1 score of 9.8 and is associated with improper input validation weaknesses.

External attackers with no prior credentials can target internet-facing Confluence Server or Data Center deployments to provision admin accounts and achieve full control over the instance, including the ability to execute arbitrary code.

Public exploit code for unauthenticated remote code execution has been posted to Packet Storm, and Atlassian has published mitigation guidance and a dedicated knowledge-base article at confluence.atlassian.com along with a Jira tracking entry. The EPSS score has reached a peak of 0.9739 with a current value of 0.9433, indicating sustained and widespread exploitation interest following disclosure.

EU & UK References

Vulnerability details

Atlassian has been made aware of an issue reported by a handful of customers where external attackers may have exploited a previously unknown vulnerability in publicly accessible Confluence Data Center and Server instances to create unauthorized Confluence administrator accounts and…

more

access Confluence instances. Atlassian Cloud sites are not affected by this vulnerability. If your Confluence site is accessed via an atlassian.net domain, it is hosted by Atlassian and is not vulnerable to this issue.

CWE(s)
KEV Date Added
05 October 2023

Related Threats

No named actor attribution yet. ATT&CK technique mapping in progress for this CVE.

Affected Assets

atlassian
confluence data center
8.0.0 — 8.3.3 · 8.4.0 — 8.4.3 · 8.5.0 — 8.5.2
atlassian
confluence server
8.0.0 — 8.3.3 · 8.4.0 — 8.4.3 · 8.5.0 — 8.5.2

Mitigating Controls

Mitigating Controls (NIST 800-53 r5) AI

prevent

Enforces authentication and authorization checks before allowing any account creation or privilege escalation actions on the Confluence instance.

prevent

Restricts who can create or modify administrator accounts and requires explicit authorization for such privileged operations.

prevent

Validates all inputs related to account provisioning to block the unauthenticated admin-account creation path exploited by the flaw.

References