Executive Summary

Atlassian has released an emergency security patch for a critical remote code execution (RCE) zero-day vulnerability, tracked as CVE-2026-22515, affecting Confluence Data Center and Server products. With a CVSS score of 9.8, this vulnerability is being actively exploited in the wild by multiple threat actors, including a group tracked as Cerberus. The attackers are leveraging the flaw to gain initial access, establish persistence via web shells, and deploy the LockBit 3.0 ransomware as the final payload. Due to active and widespread exploitation, CISA has added it to its Known Exploited Vulnerabilities (KEV) catalog. All organizations using affected Confluence versions are urged to apply the patch immediately or implement the provided workarounds.

Vulnerability Details

The vulnerability, CVE-2026-22515, is an authentication bypass flaw that leads to remote code execution. It exists in the way Confluence handles file attachments. An unauthenticated attacker can craft a specific HTTP request to upload a malicious file (e.g., a JSP web shell) to a publicly accessible directory on the server. The attacker can then navigate to the location of the uploaded file to trigger its execution, granting them arbitrary code execution with the privileges of the Confluence server process. This attack vector requires no user interaction and can be fully automated, making it highly scalable and dangerous.

Affected Systems

• Atlassian Confluence Data Center and Server
  • Versions 7.13.0 through 8.5.3 are confirmed to be vulnerable.

Exploitation Status

Active exploitation was first detected by security researchers at Rapid7 on February 21, 2026. Multiple threat actors are now exploiting the vulnerability indiscriminately. The threat actor group Cerberus, as identified by CrowdStrike, is one of the prominent groups leveraging this zero-day for initial access. The primary goal observed post-exploitation is the deployment of LockBit 3.0 ransomware.

Technical Analysis

The attack chain is straightforward and effective:

1. Initial Access: The attacker sends a specially crafted POST request to a vulnerable Confluence endpoint, bypassing authentication checks for file uploads.
2. Execution: A malicious file, typically a JSP web shell, is uploaded to a predictable, web-accessible directory. The attacker then sends a GET request to the path of the uploaded shell, causing the server to execute it.
3. Persistence & Discovery: The web shell provides the attacker with persistent access and a command-and-control channel. From here, they perform reconnaissance on the internal network, discover sensitive systems, and escalate privileges.
4. Impact: In many observed cases, the final payload is the deployment of LockBit 3.0 ransomware, leading to data encryption and exfiltration for double extortion.

MITRE ATT&CK TTPs

• T1190 - Exploit Public-Facing Application: Attackers exploit the RCE vulnerability in the internet-facing Confluence server.
• T1505.003 - Server Software Component: Web Shell: A web shell is uploaded to maintain persistence and execute commands.
• T1059.006 - Command and Scripting Interpreter: Python: (Assumed) Attackers may use Python or other scripting languages via the web shell for post-exploitation activities.
• T1486 - Data Encrypted for Impact: The final payload is ransomware that encrypts files on the compromised network.

Impact Assessment

The business impact of this vulnerability is critical. Successful exploitation gives attackers a direct foothold into an organization's internal network. Confluence often serves as a central knowledge repository, containing sensitive business plans, technical documentation, and credentials. The deployment of LockBit 3.0 can lead to complete operational shutdown, significant financial loss from ransom demands and recovery costs, severe reputational damage, and regulatory fines if sensitive data is exfiltrated and leaked.

Cyber Observables for Detection

Security teams should hunt for the following indicators:

Detection & Response

• Log Analysis: Scrutinize Confluence access logs and web server logs (e.g., Tomcat logs) for anomalous POST requests to attachment-related endpoints. Look for requests from untrusted IP sources or those resulting in a 200 OK status for uploading files like .jsp.
• Endpoint Detection and Response (EDR): Deploy EDR solutions to monitor the Confluence server for suspicious process creation. The Confluence process (java.exe) should not be spawning shells (cmd.exe, powershell.exe, bash) or making outbound network connections to unusual destinations.
• Threat Hunting: Proactively hunt for web shells in Confluence web directories. Use file integrity monitoring to detect unauthorized changes or additions to the Confluence application directories.
• D3FEND: Employ D3-NTA: Network Traffic Analysis to identify anomalous traffic patterns from the Confluence server and D3-PA: Process Analysis to detect suspicious child processes.

Mitigation

1. Patch Immediately: The most effective mitigation is to upgrade to a patched version of Confluence Data Center or Server as specified in Atlassian's advisory.
2. Temporary Mitigation: If patching is not immediately possible, Atlassian has provided a workaround that involves blocking access to specific vulnerable endpoints. This can be done at the network edge, WAF, or on the server itself. This is a temporary measure and should not be considered a substitute for patching.
3. Restrict Access: Limit inbound network access to the Confluence instance to only trusted IP addresses. This reduces the attack surface available to unauthenticated attackers.
4. Web Application Firewall (WAF): Implement a WAF with rules designed to inspect and block malicious requests attempting to exploit this vulnerability.
5. D3FEND: Implement hardening measures such as D3-ACH: Application Configuration Hardening to restrict unnecessary features and D3-NI: Network Isolation to segment the Confluence server from other critical parts of the network.