CVE-2023-22518 Exploitation Attempt - Vulnerable Endpoint Connection (Webserver)

 1title: CVE-2023-22518 Exploitation Attempt - Vulnerable Endpoint Connection (Webserver)
 2id: a902d249-9b9c-4dc4-8fd0-fbe528ef965c
 3related:
 4    - id: 27d2cdde-9778-490e-91ec-9bd0be6e8cc6
 5      type: similar
 6status: test
 7description: |
 8        Detects exploitation attempt of CVE-2023-22518 (Confluence Data Center / Confluence Server), where an attacker can exploit vulnerable endpoints to e.g. create admin accounts and execute arbitrary commands.
 9references:
10    - https://confluence.atlassian.com/security/cve-2023-22518-improper-authorization-vulnerability-in-confluence-data-center-and-server-1311473907.html
11    - https://www.huntress.com/blog/confluence-to-cerber-exploitation-of-cve-2023-22518-for-ransomware-deployment
12    - https://github.com/ForceFledgling/CVE-2023-22518
13author: Andreas Braathen (mnemonic.io)
14date: 2023-11-14
15tags:
16    - detection.emerging-threats
17    - attack.initial-access
18    - attack.t1190
19    - cve.2023-22518
20logsource:
21    category: webserver
22detection:
23    selection_method:
24        cs-method: 'POST'
25    selection_uris:
26        cs-uri-query|contains:
27          # Exploitable endpoints
28            - '/json/setup-restore-local.action'
29            - '/json/setup-restore-progress.action'
30            - '/json/setup-restore.action'
31            - '/server-info.action'
32            - '/setup/setupadministrator.action'
33    selection_status:
34        # Response code may be indicative of exploitation success, but is not always the case
35        sc-status:
36            - 200
37            - 302
38            - 405
39    condition: all of selection_*
40falsepositives:
41    - Vulnerability scanners
42level: medium

References

• CVE-2023-22518 - Improper Authorization Vulnerability In Confluence Data Center and Server | Atlassian Support | Atlassian Documentation

  Summary of Vulnerability 06 Nov 2023  As part of Atlassian's ongoing monitoring and investigation of this CVE, we observed several active exploits and reports of threat actors using ransomware. We ...

  
  Read More

• Confluence to Cerber: Exploitation of ​​CVE-2023-22518 | Huntress

  

  CVE-2023-22518 is being exploited in Confluence for Cerber ransomware deployment. Read up on Huntress’ observations and mitigation guidance.

  
  Read More

• GitHub - ForceFledgling/CVE-2023-22518: Improper Authorization Vulnerability in Confluence Data Center and Server + bonus 🔥

  

  Improper Authorization Vulnerability in Confluence Data Center and Server + bonus 🔥 - ForceFledgling/CVE-2023-22518

  
  Read More

Related rules

• CVE-2023-22518 Exploitation Attempt - Suspicious Confluence Child Process (Linux)
• CVE-2023-22518 Exploitation Attempt - Suspicious Confluence Child Process (Windows)
• CVE-2023-22518 Exploitation Attempt - Vulnerable Endpoint Connection (Proxy)
• CVE-2023-46747 Exploitation Activity - Proxy
• CVE-2023-46747 Exploitation Activity - Webserver