We are seeing Atlassian Confluence CVE-2023-22527 pre-auth template injection RCE attempts since 2024-01-19.

Over 600 IPs seen attacking so far (testing callback attempts and 'whoami' execution).

Vulnerability affects out of date versions of Confluence: https://confluence.atlassian.com/security/cve-2023-22527-rce-remote-code-execution-vulnerability-in-confluence-data-center-and-confluence-server-1333990257.html

If you have exposed Atlassian Confluence instances make sure they are up to date (and if not check for signs of compromise!)

11,1K accessible: https://dashboard.shadowserver.org/statistics/iot-devices/time-series/?date_range=7&vendor=atlassian&model=confluence&group_by=geo&style=stacked

Info on exposed Atlassian Confluence instances in our Device Identification report: https://shadowserver.org/what-we-do/network-reporting/device-identification-report/