CVE-2022-26134

Overview

CVE-2022-26134 is a pre-authentication remote code execution vulnerability in Atlassian Confluence Server and Data Center, exploited as a zero-day before the patch was released. The vulnerability is an OGNL injection (Object-Graph Navigation Language — an expression language used in Java web frameworks): attacker-controlled OGNL expressions embedded in the HTTP request URL path are evaluated server-side, enabling arbitrary Java code execution without authentication.

Discovered by Volexity as an active zero-day on May 28, 2022, the vulnerability affected every supported version of Confluence Server and Data Center, and exploitation was widespread within hours of Atlassian's advisory. The 4-day CISA remediation deadline and the instruction to immediately block all internet access to Confluence reflected the severity and exploitation pace.

What Is Atlassian Confluence?

Atlassian Confluence is a widely-used enterprise wiki and collaboration platform, deployed by thousands of organizations as an internal knowledge base, documentation system, and project workspace. Confluence Server and Data Center are the on-premises versions. Because Confluence holds sensitive internal documentation — architecture diagrams, credentials documentation, security procedures, project plans — it is a high-value target for both espionage actors seeking intelligence and ransomware operators seeking to map and disrupt environments.

Affected Versions

All Confluence Server and Data Center versions from 1.3.0 through 7.18.0 are affected.

Technical Details

Root Cause: OGNL Injection in URL Path Processing

Confluence Server uses the WebWork 2 / XWork action framework, which evaluates OGNL expressions in certain contexts. The vulnerability is in how Confluence processes HTTP request paths: OGNL expressions embedded in the URL path reach an evaluation context where they execute with the permissions of the Confluence web application process (typically with access to the Java runtime and the underlying OS).

A minimal exploit request:

GET /%24%7B%40java.lang.Runtime%40getRuntime%28%29.exec%28%22id%22%29%7D/ HTTP/1.1
Host: confluence.target.com

URL-decoded: /${@java.lang.Runtime@getRuntime().exec("id")}/

When Confluence processes this request path, the OGNL expression @java.lang.Runtime@getRuntime().exec("id") is evaluated — executing the OS command id. The result can be retrieved via a subsequent request or by staging output to an accessible location.

More complete exploitation uses OGNL to write a JSP webshell to the Confluence web root, then accesses it for persistent command execution.

Pre-Authentication: No Login Required

The vulnerable code path is reached before any authentication check — the OGNL evaluation occurs during request routing. An attacker targeting an internet-facing Confluence instance needs only to send an HTTP request; no account or session is required.

Attack Characteristics

Discovery

Volexity discovered active exploitation of an unknown Confluence zero-day on May 28, 2022 during incident response at a customer. The attacker was deploying an in-memory copy of the BEHINDER webshell framework via the OGNL injection, then using it for post-exploitation activity including credential harvesting and lateral movement. Volexity reported the zero-day to Atlassian on June 1, 2022; Atlassian released patches and the CVE on June 2, one day later. Rapid7 released a PoC the following day, triggering mass exploitation.

Exploitation Context

The 4-day CISA deadline and the immediate availability of public PoCs drove rapid exploitation:

• Mass exploitation began within hours of the June 2 advisory; Shadowserver observed hundreds of exploitation attempts within the first day
• Threat actors: Multiple Chinese state-sponsored groups (including APT41 / HAFNIUM-adjacent actors), ransomware operators, and cryptomining gangs
• Webshells: BEHINDER (a Chinese-origin in-memory Java webshell), China Chopper, and custom ASPX/JSP webshells were the primary payloads
• Ransomware use: Confirmed; AvosLocker and other ransomware groups used CVE-2022-26134 for initial access
• Post-exploitation: Attackers typically harvested the Confluence database (containing user credentials, space content, and attachments), deployed webshells for persistence, then moved laterally into connected systems
• Internet-facing instances: Shodan showed approximately 11,000 internet-exposed Confluence Server instances at time of disclosure

Remediation

Recommended Actions

1. Apply the Atlassian patch — upgrade to a fixed version (7.18.1, 7.17.4, 7.13.7, 7.4.17, or later). Verify via Administration > About Confluence.

2. Immediately block internet access to Confluence if patching is delayed. CVE-2022-26134 requires only HTTP access; blocking all inbound internet connections to Confluence eliminates the remote attack vector.

3. Hunt for webshells — search the Confluence web root for unexpected JSP/JSPX files:

   find /opt/atlassian/confluence -name "*.jsp" -newer /opt/atlassian/confluence/confluence/WEB-INF/web.xml
   

4. Review Confluence access logs for OGNL injection patterns — look for URL-encoded %24%7B, %40java, ${, or @ in request paths prior to the patch date.

5. Rotate credentials stored in Confluence — if exploitation is suspected, treat all credentials documented in Confluence pages as compromised. This includes service account passwords, API keys, and infrastructure credentials that are commonly documented in wiki pages.

6. Move Confluence behind a VPN or Zero Trust gateway — Confluence should not be directly internet-accessible. Internal wikis do not require public internet exposure.