Active Campaign Targeting On-Premise Confluence Servers with New RCE Exploit – CVE-2021-26084

Share :


On August 25, 2021, Atlassian published an advisory for a vulnerability in its Confluence server titled
CVE-2021-26084: Atlassian Confluence OGNL Injection


CVSS Score V3

CVSS Criticality






Remote Code Execution

Atlassian Confluence OGNL Injection Vulnerability


CVE-2021- 26084

This is a vulnerability on the Atlassian Confluence Server which allows an unauthenticated attacker to perform remote command execution by taking advantage of an insecure handling of OGNL (Object-Graph Navigation Language) on affected Confluence servers. The affected versions are before version 6.13.23, from version 6.14.0 before 7.4.11, from version 7.5.0 before 7.11.6, and from version 7.12.0 before 7.12.5.

Initially, Atlassian advisory stated that an authenticated attacker or “in some instances” an unauthenticated attacker — depending on the configuration — could exploit the flaw. But Atlassian updated this statement on September 4, 2021, with authentication is not required to exploit the vulnerability, and it has been exploited in the wild.

Solutions and Recommendations

Heading into this long weekend, we strongly recommend customers running on-prem confluence review Atlassian’s advisory to ensure they are not running a vulnerable version and apply patches immediately if you are. While Threat Actors are only known to be abusing CVE-2021-26084 to install crypto-miner malware today, this can quickly escalate to other attacks such as ransomware.

Atlassian has released a patch advisory for CVE-2021-26084 on August 25 and it can be reviewed here:


Learn more about Arctic Wolf’s Managed Risk solution or request a demo today.

Sule Tatar

Sule Tatar

Sule Tatar is a Product Marketing Manager at Arctic Wolf, where she does research on security trends and brings groundbreaking cybersecurity products and services to market. She has extensive experience in the B2B cybersecurity space and holds a bachelor's degree in computer engineering and an MBA.
Share :
Table of Contents
Subscribe to our Monthly Newsletter