CVE-2023-22515: Atlassian Confluence Broken Access Control Zero-Day Explained and Fixed
A CVSS 10.0 broken access control zero-day in Confluence Data Center and Server that lets unauthenticated attackers create administrator accounts on fully configured instances. Storm-0062 (China) exploited it three weeks before Atlassian published the advisory.
CVE-2023-22515 is a broken access control vulnerability in Atlassian Confluence Data Center and Server that allows unauthenticated external attackers to create new administrator accounts on fully configured Confluence instances by accessing the setup wizard endpoint that should be unavailable after initial installation. The vulnerability carries the maximum CVSS score of 10.0 and was exploited as a zero-day by Storm-0062 — a Chinese state-sponsored threat actor — beginning September 14, 2023. Atlassian published the advisory and patches October 4, 2023, nearly three weeks after exploitation had already begun.
Confluence is a high-value intelligence target because of what organizations store in it: architectural documentation, operational runbooks, credential repositories embedded in pages, source code links, security policies, and internal communications. Administrator access to Confluence provides read access to all of this — plus the ability to install plugins, execute macros, and potentially reach connected Jira and other Atlassian services.
The Attack: Creating an Admin Account via the Setup Endpoint
Confluence's initial setup wizard runs during first-time installation to configure the database connection and create the first administrator account. After setup completes, this wizard endpoint is supposed to be inaccessible. In affected versions (8.0.0 through 8.5.1), the access control check preventing post-setup access to the setup endpoint is missing or insufficiently enforced — the endpoint remains reachable from the internet on fully configured production instances.
An attacker sends a single HTTP POST request to the Confluence setup endpoint with parameters defining a new administrator account: username, password, email address, and display name. Confluence processes the request as if it were initial setup and creates the account with full Confluence administrator privileges. The attacker then logs in immediately with the newly created account. No prior knowledge of the Confluence instance, no existing credentials, and no complex exploit chain are required — just a POST request with account creation parameters.
Identify internet-accessible Confluence instances (version 8.x)
Enumerate Confluence Data Center and Server instances. The login page is distinctive. Version 8.0.0 through 8.5.1 were all affected. Storm-0062 maintained a target list of Confluence instances belonging to organizations of strategic interest.
Send unauthenticated POST to setup endpoint
Send an HTTP POST to the Confluence setup administrator creation endpoint with parameters for a new admin account. The endpoint accepts the request and creates the account despite Confluence being fully configured.
Log in with the created admin account
Authenticate to Confluence using the newly created administrator credentials. Full administrative access is granted — access to all spaces, pages, attachments, user management, and plugin installation.
Exfiltrate high-value Confluence content
Access all Confluence spaces and export pages, attachments, and database content containing credentials, architecture documentation, operational procedures, and any other sensitive information stored in the wiki.
Establish persistence and lateral movement
Install malicious Confluence macros or plugins providing persistent code execution. Use credentials found in Confluence pages to access connected systems. Create additional admin accounts to maintain access if the original is detected and disabled.
Storm-0062: Nation-State Exploitation Three Weeks Before the Patch
Microsoft Threat Intelligence published attribution data October 13, 2023, identifying Storm-0062 (also tracked as ZINC, DarkShadow, and Oro0lxy) as the threat actor exploiting CVE-2023-22515. Microsoft observed Storm-0062 actively exploiting the vulnerability beginning September 14, 2023 — 19 days before Atlassian's advisory. The pre-advisory exploitation suggests Storm-0062 discovered the vulnerability independently or obtained information about it before responsible disclosure reached Atlassian.
Storm-0062 is a Chinese state-sponsored group with a history of targeting technology companies, defense contractors, and government entities for intellectual property theft and strategic intelligence collection. Their choice of Confluence as a target aligns with their interest in internal documentation and technical knowledge — Confluence instances often contain exactly the kind of architectural, strategic, and operational information that intelligence-gathering operations value.
“Microsoft has observed nation-state threat actor Storm-0062 exploiting CVE-2023-22515 in the wild since September 14, 2023. Storm-0062 is a China-linked threat actor known to conduct cyberespionage in support of the People's Republic of China.”
— Microsoft Threat Intelligence, October 2023
Patching and Responding to CVE-2023-22515
Apply Atlassian's patches immediately. If unauthorized admin accounts exist in your Confluence instance, treat it as a confirmed compromise and initiate incident response.
Upgrade to a patched Confluence version
Upgrade to Confluence Data Center/Server 8.3.3+, 8.4.3+, or 8.5.2+ (LTS release). For instances running 8.0.x, 8.1.x, or 8.2.x: upgrade to the 8.3.3+ or 8.5.2+ branch — no patches were released for those minor versions specifically.
Block /setup/* as emergency network mitigation
If immediate patching is not possible, apply a WAF rule or network ACL blocking all access to URL paths matching /setup/* from external networks. This eliminates the attack surface as a temporary bridge measure.
Audit all Confluence administrator accounts immediately
Navigate to Confluence Administration > User Management > View Users. Filter by the confluence-administrators group. Identify and immediately disable any admin account not recognized from your authorized user list. Document all unauthorized accounts found for incident response.
Search access logs for setup endpoint access
Search Confluence and web server access logs for POST requests to /setup/setupadministrator.action, /setup/finishsetup.action, or any /setup/* path from external source IPs. Requests to these paths with 200 or 302 response codes from external IPs confirm exploitation.
Conduct full Confluence content review and credential rotation
If exploitation is confirmed, assume all Confluence pages, attachments, and spaces were accessed. Rotate every credential, API key, or password found in any Confluence page or macro. Assess breach notification obligations under applicable regulations based on the sensitivity of exposed content.
The bottom line
CVE-2023-22515 is the third maximum-severity Confluence vulnerability in two years — following CVE-2021-26084 (OGNL injection, CVSS 9.8, August 2021) and CVE-2022-26134 (OGNL injection, CVSS 10.0, June 2022 zero-day). The repetition of critical vulnerabilities in the same product, exploited by nation-state actors before patches are available, should fundamentally inform how organizations classify and manage Confluence's risk profile.
Confluence is not a low-risk internal wiki. It is a high-value intelligence collection target containing exactly the information nation-state actors seek: architectural documentation, operational procedures, credential repositories, and strategic plans. It should receive the same patching urgency, network segmentation, and access monitoring as production databases. The three-week pre-patch exploitation window demonstrates that for Atlassian Confluence specifically, patching cadences measured in weeks are operationally inadequate — the response to a critical Confluence advisory must be measured in hours.
Frequently asked questions
What is CVE-2023-22515?
CVE-2023-22515 is a CVSS 10.0 broken access control zero-day in Atlassian Confluence Data Center and Server. The setup wizard endpoint — used only during initial installation — remains accessible on fully configured instances without authentication. An unauthenticated attacker sends a POST request to create a new administrator account, gaining immediate full control of Confluence.
Was CVE-2023-22515 exploited before the patch?
Yes. Microsoft identified Storm-0062 (a Chinese state-sponsored threat actor) exploiting CVE-2023-22515 beginning September 14, 2023 — nearly three weeks before Atlassian's October 4, 2023 advisory and patch. The pre-advisory exploitation window means any internet-accessible Confluence 8.0.0–8.5.1 instance during that period should be assumed compromised.
Is CVE-2023-22515 related to the 2022 Confluence zero-day?
CVE-2022-26134 (June 2022, CVSS 10.0 OGNL injection enabling OS command execution) is a separate vulnerability. Both are maximum-severity Confluence zero-days exploited before patches, but the vulnerability classes differ. CVE-2023-22515 creates admin accounts via broken access control; CVE-2022-26134 executes OS commands via OGNL injection.
How do I detect if my Confluence was exploited?
Check Confluence's user management for administrator accounts not recognized from your authorized user list. Search access logs for POST requests to /setup/ paths from external IPs with successful responses. Audit the Confluence audit log for admin account creation events outside of authorized change windows.
How do I patch CVE-2023-22515?
Upgrade to Confluence Data Center/Server 8.3.3+, 8.4.3+, or 8.5.2+ (LTS). For 8.0.x, 8.1.x, and 8.2.x, upgrade to a patched branch — patches were not released for all minor version branches. As immediate mitigation, block access to /setup/* at the network layer or WAF.
What should I do if unauthorized admin accounts are found?
Disable and delete all unauthorized accounts immediately. Treat the Confluence instance as fully compromised — assume all page content, attachments, and data was accessed. Rotate all credentials found in Confluence pages or macros. Engage incident response to assess the scope of data exposure and review Confluence access logs for the full activity of the unauthorized accounts.
Sources & references
Get threat intel before your inbox does.
50,000+ security professionals read Decryption Digest for early warnings on zero-days, ransomware, and nation-state campaigns. Free, weekly, no spam.
Unsubscribe anytime. We never sell your data.
Founder & Cybersecurity Evangelist, Decryption Digest
Cybersecurity professional with expertise in threat intelligence, vulnerability research, and enterprise security. Covers zero-days, ransomware, and nation-state operations for 50,000+ security professionals weekly.