The SANS Internet Storm Center (ISC) has raised the alarm regarding widespread scanning and active exploitation of a critical vulnerability in Atlassian Confluence Data Center and Server. Tracked as CVE-2026-37890, this flaw allows unauthenticated attackers to execute arbitrary code on affected servers via an OGNL (Object-Graph Navigation Language) injection vulnerability. Given Confluence's prevalence in enterprise environments for documentation and collaboration, this represents a high-risk pathway for initial access, ransomware deployment, and data exfiltration. Defenders must assume compromise if vulnerable instances are exposed to the internet.
Technical Analysis
Affected Products:
- Atlassian Confluence Data Center and Server
Affected Versions:
- All versions prior to 8.9.2
- All versions prior to 8.13.6 (LTS)
CVE Identifier: CVE-2026-37890 CVSS Score: 10.0 (Critical)
Vulnerability Mechanics:
The vulnerability resides in the /pages/doenterpagevariables.action endpoint. The application improperly handles user-supplied input within the queryString parameter, allowing an attacker to inject malicious OGNL expressions. Because the underlying Jakarta Struts framework (or similar evaluation logic) processes this input with elevated privileges, the attacker can force the application to execute arbitrary system commands.
Exploitation Status:
- Active Exploitation: Confirmed by ISC handlers. Mass scanning activity detected originating from multiple TOR exit nodes and known botnet IPs.
- CISA KEV: Expected to be added within 24 hours.
- Payload: Initial access is frequently followed by the deployment of memory-resident webshells or reverse shells (e.g., Python
pty.spawnor Bash) to establish persistence.
Detection & Response
SIGMA Rules
---
title: Potential Confluence CVE-2026-37890 Exploitation Attempt
id: 8a4b2c1d-9e6f-4a3b-8c5d-1e2f3a4b5c6d
status: experimental
description: Detects HTTP POST requests to the vulnerable Confluence endpoint associated with CVE-2026-37890 OGNL injection.
references:
- https://confluence.atlassian.com/security/cve-2026-37890.html
author: Security Arsenal
date: 2026/06/01
tags:
- attack.initial_access
- attack.t1190
- cve.2026.37890
logsource:
category: webserver
product: apache
detection:
selection:
cs-method|contains: 'POST'
cs-uri-stem|contains: '/pages/doenterpagevariables.action'
condition: selection
falsepositives:
- Legitimate administrative usage (rare)
level: critical
---
title: Confluence Java Process Spawning Shell
id: 9c5d3e2f-1a4b-4c6d-8e9f-2a3b4c5d6e7f
status: experimental
description: Detects the Confluence Java process spawning a shell (sh/bash) or network tool (curl/wget), typical post-exploitation behavior.
references:
- https://attack.mitre.org/techniques/T1059/
author: Security Arsenal
date: 2026/06/01
tags:
- attack.execution
- attack.t1059
logsource:
category: process_creation
product: linux
detection:
selection:
ParentImage|endswith: '/java'
ParentCommandLine|contains: 'confluence'
Image|endswith:
- '/sh'
- '/bash'
- '/curl'
- '/wget'
condition: selection
falsepositives:
- Legitimate plugin administrative scripts
level: high
KQL (Microsoft Sentinel / Defender)
// Hunt for suspicious POST requests to vulnerable Confluence endpoint
Syslog
| where Facility in ('WebServer', 'nginx', 'apache')
| where ProcessName contains "httpd" or ProcessName contains "nginx"
| extend RenderedDescription = SyslogMessage
| parse-regex RenderedDescription with *"POST " UriPath " HTTP"*
| where UriPath contains "/pages/doenterpagevariables.action"
| project TimeGenerated, Computer, SourceIP, HostName, UriPath, SyslogMessage
| extend Timestamp = TimeGenerated
Velociraptor VQL
-- Hunt for Confluence process spawning suspicious children
SELECT Pid, Name, CommandLine, Exe, Username, CreateTime, PPid, Parent.Name
FROM pslist()
WHERE Name =~ 'sh'
OR Name =~ 'bash'
OR Name =~ 'curl'
OR Name =~ 'wget'
OR Name =~ 'python'
LET ParentProc = SELECT Pid, Name, CommandLine FROM pslist()
WHERE Pid = PPid
SELECT * FROM foreach(row=ParentProc, query={
SELECT * FROM pslist()
WHERE Name =~ 'java' AND CommandLine =~ 'confluence'
})
Remediation Script (Bash)
#!/bin/bash
# Check Confluence version for CVE-2026-37890 vulnerability
echo "[+] Checking for vulnerable Atlassian Confluence versions..."
# Common installation path, adjust if necessary
CONFLUENCE_INSTALL="/opt/atlassian/confluence"
CONFLUENCE_XML="$CONFLUENCE_INSTALL/confluence/WEB-INF/classes/buildNumber.properties"
if [ -f "$CONFLUENCE_XML" ]; then
VERSION=$(grep "version=" "$CONFLUENCE_XML" | cut -d'=' -f2)
echo "[!] Detected Confluence Version: $VERSION"
# Check logic based on vendor advisory (simplified logic)
# Vulnerable if < 8.9.2 or < 8.13.6
if [[ "$VERSION" < "8.9.2" ]] && [[ "$VERSION" < "8.13.0" ]]; then
echo "[!!!] CRITICAL: Version $VERSION is vulnerable to CVE-2026-37890."
echo "[+] Action Required: Patch immediately to 8.9.2 or 8.13.6."
echo "[+] Advisory: https://confluence.atlassian.com/security/cve-2026-37890.html"
else
echo "[+] Version $VERSION appears to be patched."
fi
else
echo "[-] Could not find Confluence installation at $CONFLUENCE_INSTALL"
fi
Remediation
- Immediate Patching: Apply the vendor patches immediately.
- Upgrade to version 8.9.2 or later.
- Upgrade to Long Term Support version 8.13.6 or later.
- Network Isolation: If immediate patching is not possible, restrict access to the Confluence server port (typically 8090 or 443) solely from trusted internal IP ranges via firewall ACLs. Do not expose the management interface directly to the internet.
- Threat Hunting: Assume compromise if the instance was internet-facing during the active exploitation window. Look for unauthorized user creation, unexpected OS users (e.g.,
svc_confluence), or scheduled tasks (cronjobs). - Vendor Advisory: Atlassian Security Advisory
Related Resources
Security Arsenal Red Team Services AlertMonitor Platform Book a SOC Assessment pen-testing Intel Hub
Is your security operations ready?
Get a free SOC assessment or see how AlertMonitor cuts through alert noise with automated triage.