"CISA Warns of Critical Confluence Bug Exploited in Attacks"

US Homeland Security Department's Cybersecurity and Infrastructure Security Agency (CISA) has added a critical Confluence vulnerability, tracked as CVE-2022-26138, to its list of exploited bugs. This flaw can provide remote attackers with hardcoded credentials after successful exploitation. According to Atlassian, unpatched versions of the Questions for Confluence app, which is installed on over 8,000 servers, create an account with hardcoded credentials. The company notified administrators that the hardcoded password had been discovered and shared online one day after patching the vulnerability. Atlassian warned that this issue is likely to be exploited in the wild now that the hardcoded password is public, and that threat actors could use the hardcoded credentials to log into vulnerable Confluence Server and Data Center servers. All Federal Civilian Executive Branch (FCEB) agencies must secure their systems against bugs added to CISA's catalog of Known Exploited Vulnerabilities (KEV), according to a Binding Operational Directive (BOD 22-01) issued in November. The cybersecurity agency has also given federal agencies until August 19 to patch servers and prevent network attacks. Despite the fact that the BOD 22-01 directive only applies to US federal agencies, CISA urges organizations across the country to fix this flaw in order to prevent attacks on vulnerable Confluence servers. This article continues to discuss CISA's addition of a critical Confluence vulnerability to its KEV catalog as well as the BOD 22-01. 

Bleeping Computer reports "CISA Warns of Critical Confluence Bug Exploited in Attacks"