CVE-2023-22518

CRITICAL KEV RANSOMWARE NUCLEI LAB

Atlassian Confluence Unauth JSON setup-restore Improper Authorization leading to RCE (CVE-2023-22518)

Title source: metasploit
STIX 2.1

Exploitation Summary

CVE-2023-22518 is actively exploited and listed in the CISA Known Exploited Vulnerabilities (KEV) catalog, added November 7, 2023, with confirmed use in ransomware campaigns. EIP tracks 9 public exploits from researchers including ForceFledgling, RevoltSecurities, davidfortytwo, including a Metasploit module exploits/multi/http/atlassian_confluence_unauth_backup. A Nuclei detection template is also available.

AI-analyzed exploit summary This repository contains a functional exploit for CVE-2023-22518, an improper authorization vulnerability in Atlassian Confluence Data Center and Server. The exploit leverages the `/json/setup-restore.action` endpoint to bypass authentication and restore a malicious database backup, potentially leading to remote code execution.

Description

All versions of Confluence Data Center and Server are affected by this unexploited vulnerability. This Improper Authorization vulnerability allows an unauthenticated attacker to reset Confluence and create a Confluence instance administrator account. Using this account, an attacker can then perform all administrative actions that are available to Confluence instance administrator leading to - but not limited to - full loss of confidentiality, integrity and availability.  Atlassian Cloud sites are not affected by this vulnerability. If your Confluence site is accessed via an atlassian.net domain, it is hosted by Atlassian and is not vulnerable to this issue.

Exploits (9)

nomisec WORKING POC 59 stars
by ForceFledgling · poc
https://github.com/ForceFledgling/CVE-2023-22518

This repository contains a functional exploit for CVE-2023-22518, an improper authorization vulnerability in Atlassian Confluence Data Center and Server. The exploit leverages the `/json/setup-restore.action` endpoint to bypass authentication and restore a malicious database backup, potentially leading to remote code execution.

Classification
Working Poc 95%
Attack Type
Rce
Complexity
Moderate
Reliability
Reliable
Target: Atlassian Confluence Data Center and Server
No auth needed
Prerequisites: Network access to the Confluence instance · Ability to send HTTP requests to the target
devstral-2 · analyzed Feb 18, 2026 Full analysis →
nomisec WORKING POC 43 stars
by RevoltSecurities · remote
https://github.com/RevoltSecurities/CVE-2023-22518

The repository contains a functional exploit for CVE-2023-22518, an improper authorization vulnerability in Confluence Server. The exploit sends a crafted multipart/form-data request to the `/json/setup-restore.action` endpoint to trigger the vulnerability and checks for specific response patterns to confirm exploitation.

Classification
Working Poc 95%
Attack Type
Auth Bypass
Complexity
Moderate
Reliability
Reliable
Target: Atlassian Confluence Server
No auth needed
Prerequisites: Network access to the target Confluence Server · Target must be vulnerable to CVE-2023-22518
devstral-2 · analyzed Feb 18, 2026 Full analysis →
nomisec WORKING POC 8 stars
by davidfortytwo · poc
https://github.com/davidfortytwo/CVE-2023-22518

This repository contains a functional exploit for CVE-2023-22515 (authentication bypass) and a checker for CVE-2023-22518 (SSRF) in Atlassian Confluence. The exploit automates the creation of an admin account by leveraging the vulnerability.

Classification
Working Poc 95%
Attack Type
Auth Bypass
Complexity
Moderate
Reliability
Reliable
Target: Atlassian Confluence
No auth needed
Prerequisites: Network access to the target Confluence instance · Valid credentials for the exploit phase (auto-created)
devstral-2 · analyzed Feb 18, 2026 Full analysis →
nomisec WORKING POC 5 stars
by 0x0d3ad · remote
https://github.com/0x0d3ad/CVE-2023-22518

The repository contains a functional exploit script for CVE-2023-22518, which targets an unauthorized file upload vulnerability in Atlassian Confluence. The script sends a crafted POST request with a malicious ZIP file to achieve potential remote code execution.

Classification
Working Poc 90%
Attack Type
Rce
Complexity
Trivial
Reliability
Reliable
Target: Atlassian Confluence (version not specified)
No auth needed
Prerequisites: Target URL with vulnerable endpoint · Malicious ZIP file for upload
devstral-2 · analyzed Feb 18, 2026 Full analysis →
nomisec WRITEUP 1 stars
by ductink98lhp · remote
https://github.com/ductink98lhp/analyze-Exploit-CVE-2023-22518-Confluence

This repository provides a detailed technical analysis of CVE-2023-22518, an improper authorization vulnerability in Confluence. It includes setup instructions, debugging steps, and an explanation of the root cause involving namespace routing and interceptor bypass in Struts.

Classification
Writeup 95%
Attack Type
Auth Bypass
Complexity
Moderate
Reliability
Reliable
Target: Atlassian Confluence 8.0.4
No auth needed
Prerequisites: Vulnerable Confluence instance (8.0.4) · Access to the /json/setup-restore.action endpoint
devstral-2 · analyzed Feb 18, 2026 Full analysis →
nomisec WRITEUP 1 stars
by Lilly-dox · poc
https://github.com/Lilly-dox/Exploit-CVE-2023-22518

This repository provides a detailed technical analysis of CVE-2023-22518, an improper authorization vulnerability in Atlassian Confluence. It includes setup instructions, debugging steps, and an explanation of the root cause involving namespace routing and interceptor bypass in Struts.

Classification
Writeup 90%
Attack Type
Auth Bypass
Complexity
Moderate
Reliability
Reliable
Target: Atlassian Confluence 8.0.4
No auth needed
Prerequisites: Access to vulnerable Confluence instance · MySQL database setup
devstral-2 · analyzed Feb 18, 2026 Full analysis →
nomisec WORKING POC 1 stars
by bibo318 · remote
https://github.com/bibo318/CVE-2023-22518

This repository contains a functional exploit for CVE-2023-22518, an improper authorization vulnerability in Atlassian Confluence Server and Data Center. The exploit leverages a bypass in the WebSudoInterceptor to upload a malicious ZIP file via the `/json/setup-restore.action` endpoint, leading to remote code execution.

Classification
Working Poc 95%
Attack Type
Rce
Complexity
Moderate
Reliability
Reliable
Target: Atlassian Confluence Server and Data Center (versions before 7.19.16, 8.3.4, 8.4.4, 8.5.3, 8.6.1)
No auth needed
Prerequisites: Network access to the target Confluence instance · Target must be running a vulnerable version of Confluence
devstral-2 · analyzed Feb 18, 2026 Full analysis →
nomisec WORKING POC
by C1ph3rX13 · remote
https://github.com/C1ph3rX13/CVE-2023-22518

This repository contains a functional exploit for CVE-2023-22518, targeting Atlassian Confluence. The exploit leverages a path traversal vulnerability in the setup-restore action to upload a malicious zip file, potentially leading to remote code execution (RCE).

Classification
Working Poc 95%
Attack Type
Rce
Complexity
Moderate
Reliability
Reliable
Target: Atlassian Confluence
No auth needed
Prerequisites: Network access to the target Confluence instance · A crafted zip file for upload
devstral-2 · analyzed Feb 18, 2026 Full analysis →
metasploit WORKING POC EXCELLENT
by Atlassian, jheysel-r7 · rubypocjava
https://github.com/rapid7/metasploit-framework/blob/master/modules/exploits/multi/http/atlassian_confluence_unauth_backup.rb

This Metasploit module exploits CVE-2023-22518, an improper authorization vulnerability in Atlassian Confluence, allowing unauthenticated attackers to reset the instance and create an admin account. It then leverages this access to upload a malicious JSP plugin for remote code execution.

Classification
Working Poc 100%
Attack Type
Rce
Complexity
Moderate
Reliability
Reliable
Target: Atlassian Confluence Server/Data Center (versions 1.0.0-7.19.15, 7.20.0-8.3.3, 8.4.0-8.4.3, 8.5.0-8.5.2, 8.6.0)
No auth needed
Prerequisites: Network access to Confluence instance · Vulnerable Confluence version
devstral-2 · analyzed Feb 16, 2026 Full analysis →

Nuclei Templates (1)

Atlassian Confluence Server - Improper Authorization
CRITICALVERIFIEDby iamnoooob,rootxharsh,pdresearch
Shodan: http.component:"Atlassian Confluence" || http.component:"atlassian confluence"
FOFA: app="atlassian-confluence"

References (4)

Core 4

Scores

CVSS v3 9.8
EPSS 0.9437
EPSS Percentile 100.0%
Attack Vector NETWORK
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

CISA SSVC

Vulnrichment
Exploitation active
Automatable yes
Technical Impact partial

Lab Environment

COMMUNITY
Community Lab
docker pull atlassian/confluence-server:8.6.0
+6 more repos

Details

CISA KEV 2023-11-07
VulnCheck KEV 2023-11-02
InTheWild.io 2023-11-07
ENISA EUVD EUVD-2023-26658
Ransomware Use Confirmed
CWE
CWE-863
Status published
Products (4)
atlassian/confluence_data_center 8.6.0
atlassian/confluence_data_center 1.0 - 7.19.16
atlassian/confluence_server 8.6.0
atlassian/confluence_server 1.0 - 7.19.16
Published Oct 31, 2023
KEV Added Nov 07, 2023
Tracked Since Feb 18, 2026