Stealth Bomber: Atlassian Confluence Exploits Drop Web Shells In-Memory

The proof-of-concept exploits for Atlassian Confluence would enable arbitrary code execution without requiring file system access.

Fresh proof-of-concept (PoC) exploits are circulating in the wild for a widely targeted Atlassian Confluence Data Center and Confluence Server flaw. The new attack vectors could enable a malicious actor to stealthily execute arbitrary code within Confluences memory without touching the file system.
Researchers at VulnCheck have been tracking the exploits for the
CVE-2023-22527 remote code execution (RCE) vulnerability
, which was disclosed in January. The CVE has since become hotbed of malicious activity they noted, with VulnCheck currently tracking 30 unique in-the-wild exploits for the vulnerability, including the more recent options.
Most of the attacks against Confluence load the infamous
Godzilla Web shell
. Godzilla allows attackers to remotely control the compromised server, execute arbitrary commands, upload and download files, manipulate databases, and perform other malicious activities.
A new approach, though, is using an in-memory payload. After spotting the in-the-wild PoCs using that technique, VulnCheck researchers developed three PoCs of their own to probe the in-memory approachs limits.
The flurry of activity should surprise no one: VulnCheck CTO Jacob Baines says he thinks
attackers love to target Confluence
because of the wealth of business information available within in application, which makes it a good pivot into an internal network.
By exploiting this target, youre getting an on-prem version with business specific logic in it, he says. Its pretty attractive for ransomware attackers specifically.
As
VulnChecks blog post
details, Theres more than one way to reach Rome. More stealthy paths generate different indicators. Of particular interest is the in-memory Web shell, which had a pre-existing variant … that appears to have been deployed in the wild.
Baines explains that one of the firms PoCs details the basic first step of loading arbitrary Java into memory, a popular exploit approach but one that is easily discovered with endpoint detection.
This is a very obvious, easy-to-catch method to exploit Confluence, he says. But loading arbitrary Java into memory is useful to know how to do, because the next step, the Web shell portion, builds on that.
VulnChecks other two proofs of concept for CVE-2023-22527 in Confluence detail how malicious actors could exploit the Confluence vulnerability by loading an in-memory Web shell directly to gain unauthorized access to Web servers.
Loading into and executing code from Confluence’s memory is a much more stealthy and weaponized approach to attacking Confluence that is less likely to be detected by defenders, Baines says.
A lot of systems only detect adversaries on the system by analyzing files that are dropped to disk, he says, adding that theres no great way to scan Java in memory for Web shells because of the way its structured — the real solution lies in detecting it on the network.
That has its own challenges, as everythings encrypted and you have to deploy certificates to the clients, he says. The long-term answer is getting everything off of the Internet that you can.
Baines points out Confluence has now had multiple different CVEs on VulChecks Known Exploited Vulnerabilities (KEV) list.
Its definitely time to start putting that behind a VPN, he says. Ultimately, attack surface management is the way to help mitigate these more advanced issues.
Baines says the risk of compromise is extremely high for organizations who have still not patched Confluence, given the mass-exploitation efforts underway.
We see attackers have used this in-memory Web shell — its not a theoretical attack, he says. Its something thats happening, so defenders need to be aware of it, and that it is a high risk at the moment.
Baines adds that the risk from the in-memory approach is not just limited to Confluence, as it is related to Object-Graph Navigation Language (OGNL) expressions, which allow developers to perform various operations on Java objects using a simple, concise syntax.
This affects a variety of different products with similar vulnerabilities — you could use this exact same technique against those other products, he says. Organizations must evolve a step to start catching this sort of thing for example network-based detection or scanning Java memory for malicious Web shells.

Last News
▸ ArcSight prepares for future at user conference post HP acquisition. ◂ Discovered: 07/01/2025 Category: security	▸ Samsung Epic 4G: First To Use Media Hub ◂ Discovered: 07/01/2025 Category: security	▸ Many third-party software fails security tests ◂ Discovered: 07/01/2025 Category: security

**Cyber Security Categories**
Google Dorks Database	Exploits Vulnerability	Exploit Shellcodes

CVE List

Tools/Apps

News/Aarticles

Phishing Database

Deepfake Detection

Trends/Statistics & Live Infos

Tags:
Stealth Bomber: Atlassian Confluence Exploits Drop Web Shells In-Memory