CTI Swarm
Zurück zu allen Deep Dives
PROJECT DISCOVERY

Confluence RCE chain (CVE-2025-44102): from unauth template injection to root shell

Strategische Zusammenfassung

Project Discovery published a working unauthenticated RCE chain for CVE-2025-44102 in Confluence Data Center within hours of the Atlassian advisory. Roughly 18 000 instances remained internet-exposed 48 hours later. The chain combines Velocity SSTI in the export endpoint with a sandbox bypass; mitigation without patching requires blocking /export/ at the LB and rotating service-account credentials.

Key Findings

  • CVE-2025-44102 is exploitable unauthenticated in <30s against default 8.9.0 builds.
  • Public Nuclei template available — defenders can scan their estate now.
  • ~18 000 unpatched instances exposed 48h after disclosure (Shadowserver).
  • Manufacturing and engineering verticals overrepresented in exposed population.
  • Bypass without patching: block /export/ unauthenticated at LB + rotate service-account creds.

Volltext

Atlassian's May advisory for CVE-2025-44102 understates the impact. Our team reproduced an unauthenticated RCE in under 30 seconds against a default Confluence Data Center 8.9.0 instance — the vulnerability requires no credentials, no user interaction, and the resulting shell runs as the confluence service user with full read access to the database.

The chain has two stages. Stage one abuses a server-side template injection (SSTI) in the page-export endpoint that does not sanitize user-controlled Velocity directives. Stage two leverages a permissive Java sandbox bypass in the same engine to execute arbitrary shell commands.

We released a Nuclei template the same day the patch dropped, so defenders can validate exposure across their estate. Public scanning data from Shadowserver showed roughly 18,000 unpatched Confluence instances reachable from the internet 48 hours after disclosure — many of them in the manufacturing and engineering verticals.

The right remediation is the 8.9.1 patch. If that cannot be rolled out within 24 hours, mitigate by blocking unauthenticated access to /export/ at the load balancer and rotating any service account passwords that the confluence user could read.