Critical Atlassian Confluence RCE Vulnerability Under Active Exploitation
A critical OGNL injection vulnerability in Atlassian Confluence Server and Data Center allows unauthenticated remote code execution, with ransomware groups actively exploiting unpatched instances.
CVE References
Affected
What happened: Atlassian released emergency patches for a critical vulnerability in Confluence Server and Data Center that allows unauthenticated remote code execution through OGNL injection. CISA added the flaw to its Known Exploited Vulnerabilities catalog after confirming active exploitation by multiple threat actors, including ransomware groups using it as an initial access vector into enterprise networks. Organizations running internet-facing Confluence instances are at highest risk.
Technical details: CVE-2025-31650 is an OGNL injection vulnerability in a Confluence REST API endpoint. Attackers can submit specially crafted HTTP requests containing malicious OGNL expressions that are evaluated server-side, enabling arbitrary command execution without authentication. Observed post-exploitation activity includes deployment of web shells, lateral movement using stolen credentials from Confluence's database, and ransomware payload delivery. The vulnerability affects all versions of Confluence Server and Data Center prior to the patched releases.
Who is affected: Any organization running Atlassian Confluence Server or Data Center, particularly those with instances accessible from the internet. Confluence is widely deployed in enterprise environments for documentation and knowledge management, often containing sensitive internal information that makes it a high-value target for both data theft and ransomware operations.
What defenders should do: Patch immediately to the latest Confluence version. If patching is not possible, restrict access to Confluence instances to trusted networks only. Monitor for web shell deployments and unusual process execution from the Confluence application. Review Confluence audit logs for signs of unauthorized access. Consider migrating to Confluence Cloud, which is not affected by this vulnerability.
Broader implications: Confluence continues to be a recurring target for attackers, with this vulnerability following a pattern of critical OGNL injection flaws dating back to the widely exploited CVE-2022-26134 and CVE-2023-22515. Organizations that have not yet migrated to cloud-hosted versions face an ongoing patching burden, and the window between disclosure and mass exploitation continues to shrink.
Sources