Nation-state threat actors are actively exploiting a recently patched zero-day flaw affecting Atlassian Confluence Data Center and Server instances.

The zero-day vulnerability (CVE-2023-22515) allows to create unauthorized Confluence administrator accounts and access Confluence instances. The issue impacts Confluence Server and Data Center 8.0.0 to 8.5.1. At the beginning of October, Atlassian released an urgent patch to address the flaw.

Microsoft said that a threat actor it tracks as Storm-0062 (aka DarkShadow and Oro0lxy) has been exploiting this bug since September 14, 2023. Previously, the tech giant linked the Storm-0062 group to the Chinese government.

In July 2020, the US Department of Justice charged two Chinese hackers, LI Xiaoyu (aka Oro0lxy) and Dong Jiazhi, working with China’s Ministry of State Security with hacking into computer systems of government organizations and companies worldwide.

Microsoft has shared four IP addresses that were seen sending related exploit traffic targeting CVE-2023-22515.

Additionally, Atlassian updated its security advisory to say it has evidence that a known nation-state actor is actively exploiting CVE-2023-22515.

Users are urged to upgrade their Confluence Data Center and Server instances to fixed versions.