SAAS-ATLAS-CVEInitial Access

Atlassian Confluence / Jira RCE

Mass-exploited Confluence + Jira CVEs (CVE-2021-26084 OGNL, CVE-2022-26134 OGNL, CVE-2023-22515 Confluence privesc) — unauth RCE / admin.

§ Where this technique fits

SAAS-ATLAS-CVE is catalogued under the Initial Access tactic of the offensive-security kill-chain. It appears in 1 approved dossier in the registry, typically at step 3 on average.

§ Dossiers chaining this technique

Unpatched Confluence (CVE-2023-22515) → internal foothold
Internal Confluence instance reachable from the corporate VLAN. Trivial privilege-escalation CVE creates an admin user; webshell uploaded; pivot into AD service accounts.
step 3 / 6

§ What commonly comes next

01
Webshell Deployment
W-WEBSHELL · Persistence
seen 1×

§ Where this technique fits

§ Dossiers chaining this technique

Unpatched Confluence (CVE-2023-22515) → internal foothold

§ What commonly comes next