Confluence Unauthenticated Remote Code Execution CVE-2022-26134

name: Confluence Unauthenticated Remote Code Execution CVE-2022-26134
id: fcf4bd3f-a79f-4b7a-83bf-2692d60b859c
version: 8
date: '2026-03-23'
author: Michael Haag, Splunk
status: production
type: TTP
description: |
    The following analytic detects attempts to exploit CVE-2022-26134, an unauthenticated remote code execution vulnerability in Confluence. It leverages the Web datamodel to analyze network and CIM-compliant web logs, identifying suspicious URL patterns and parameters indicative of exploitation attempts. This activity is significant as it allows attackers to execute arbitrary code on the Confluence server without authentication, potentially leading to full system compromise. If confirmed malicious, this could result in unauthorized access, data exfiltration, and further lateral movement within the network. Immediate investigation and remediation are crucial to prevent extensive damage.
data_source:
    - Palo Alto Network Threat
search: |-
    | tstats `security_content_summariesonly`
             count min(_time) as firstTime
                   max(_time) as lastTime

    FROM datamodel=Web WHERE

    Web.url IN (
        "*${*",
        "*%2F%7B*"
    )
    AND
    (
        (
            Web.url="*org.apache.commons.io.IOUtils*"
            Web.url="*java.lang.Runtime@getRuntime().exec*"
        )
        OR
        (
            Web.url="*java.lang.Runtime%40getRuntime%28%29.exec*"
        )
        OR
        (
            Web.url="*getEngineByName*"
            Web.url="*nashorn*"
            Web.url="*ProcessBuilder*"
        )
    )
    BY Web.http_user_agent Web.http_method
       Web.url,Web.url_length
       Web.src, Web.dest sourcetype
    | `drop_dm_object_name("Web")`
    | `security_content_ctime(firstTime)`
    | `security_content_ctime(lastTime)`
    | `confluence_unauthenticated_remote_code_execution_cve_2022_26134_filter`
how_to_implement: |
    This detection requires the Web datamodel to be populated from a supported Technology Add-On like Splunk for Apache or Splunk for Nginx. In addition, network based logs or event data like PAN Threat.
known_false_positives: |
    Tune based on assets if possible, or restrict to known Confluence servers. Remove the ${ for a more broad query. To identify more exec, remove everything up to the last parameter (Runtime().exec) for a broad query.
references:
    - https://confluence.atlassian.com/doc/confluence-security-advisory-2022-06-02-1130377146.html
    - https://www.splunk.com/en_us/blog/security/atlassian-confluence-vulnerability-cve-2022-26134.html
    - https://www.rapid7.com/blog/post/2022/06/02/active-exploitation-of-confluence-cve-2022-26134/
    - https://www.volexity.com/blog/2022/06/02/zero-day-exploitation-of-atlassian-confluence/
drilldown_searches:
    - name: View the detection results for - "$dest$"
      search: '%original_detection_search% | search  dest = "$dest$"'
      earliest_offset: $info_min_time$
      latest_offset: $info_max_time$
    - name: View risk events for the last 7 days for - "$dest$"
      search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$dest$") starthoursago=168  | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`'
      earliest_offset: $info_min_time$
      latest_offset: $info_max_time$
rba:
    message: A URL was requested related to CVE-2022-26134, a unauthenticated remote code execution vulnerability,  on $dest$ by $src$.
    risk_objects:
        - field: dest
          type: system
          score: 50
    threat_objects:
        - field: src
          type: ip_address
tags:
    analytic_story:
        - Atlassian Confluence Server and Data Center CVE-2022-26134
        - Confluence Data Center and Confluence Server Vulnerabilities
    asset_type: Web Server
    cve:
        - CVE-2022-26134
    mitre_attack_id:
        - T1505
        - T1190
        - T1133
    product:
        - Splunk Enterprise
        - Splunk Enterprise Security
        - Splunk Cloud
    security_domain: network
tests:
    - name: True Positive Test
      attack_data:
        - data: https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1190/java/confluence.log
          source: not_applicable
          sourcetype: pan:threat