CVE-2023-22515: Critical Privilege Escalation Vulnerability in Confluence Data Center and Server

Share :

On October 4, 2023, Atlassian issued a security advisory revealing potential active exploitation of a previously unknown vulnerability (CVE-2023-22515, CVSS: 10) affecting Confluence Data Center and Server instances that are on-premises. This vulnerability can enable an unauthenticated, anonymous remote threat actor to escalate privileges by creating unauthorized Confluence administrator accounts and accessing Confluence instances across multiple versions of Confluence Data Center and Server. 


Product  Affected Version 
Confluence Data Center 
  • 8.0.0, 8.0.1, 8.0.2, 8.0.3, 8.0.4 
  • 8.1.0, 8.1.1, 8.1.3, 8.1.4 
  • 8.2.0, 8.2.1, 8.2.2, 8.2.3 
  • 8.3.0, 8.3.1, 8.3.2 
  • 8.4.0, 8.4.1, 8.4.2 
  • 8.5.0, 8.5.1 
Confluence Server 


Note: Versions prior to 8.0.0 and Atlassian Cloud sites (sites accessed via an domain) are not affected by CVE-2023-22515. 

Atlassian first became aware of this issue when multiple customers reported the malicious activity conducted by external threat actors. At this time, Arctic Wolf has not identified a public Proof of Concept (PoC). However, it is highly likely that threat actors will develop exploits for this vulnerability in the future, given the ease of external access to these Confluence instances and the potential level of access they can achieve. Additionally, several previous Confluence vulnerabilities have been exploited by threat actors and added to CISA’s Known Exploited Vulnerability catalog.  

Recommendation for CVE-2023-22515 

Upgrade Confluence Data Center and Server to Fixed Versions  

Arctic Wolf strongly recommends upgrading the affected Confluence products to their fixed versions (or any later versions).   

Product  Fixed Version 
Confluence Data Center 
  • 8.3.3 or later 
  • 8.4.3 or later 
  • 8.5.2 (Long Term Support release) or later 
Confluence Server 


Note: If an instance has already been compromised, upgrading does not remove the compromise.  

Please follow your organization’s patching and testing guidelines to avoid operational impact. 


For users who are unable to upgrade Confluence, Atlassian recommends restricting external network access to the affected Confluence Data Center and Server instance.  

Additionally, Atlassian provides changes to Confluence configuration files that can mitigate attack vectors for CVE-2023-25115 by blocking access to endpoints on Confluence instances.  

Further details on how to make the Confluence configuration files changes can be found in the Mitigation section of their security advisory 


  1. Atlassian security advisory  
  2. Atlassian FAQ (CVE-2023-22515)  


Picture of Andres Ramos

Andres Ramos

Andres Ramos is a Threat Intelligence Researcher at Arctic Wolf with a strong background in tracking emerging threats and producing actionable intelligence for both technical and non-technical stakeholders. He has a diverse background encompassing various domains of cyber security, holds a degree in Cybersecurity Engineering, and is a CISSP.
Share :
Table of Contents
Subscribe to our Monthly Newsletter