* [Blog](https://www.paloaltonetworks.com/blog)
* [Security Operations](https://www.paloaltonetworks.com/blog/security-operations/)
* [Must-Read Articles](https://www.paloaltonetworks.com/blog/security-operations/category/must-read-articles/)
* CVE-2022-26134 Seen in th...

# CVE-2022-26134 Seen in the Wild by Cortex XDR

[](https://www.facebook.com/sharer/sharer.php?u=https%3A%2F%2Fwww.paloaltonetworks.com%2Fblog%2Fsecurity-operations%2Fcve-2022-26134-seen-in-the-wild-by-cortex-xdr%2F)  
[](https://twitter.com/share?text=CVE-2022-26134+Seen+in+the+Wild+by+Cortex+XDR&url=https%3A%2F%2Fwww.paloaltonetworks.com%2Fblog%2Fsecurity-operations%2Fcve-2022-26134-seen-in-the-wild-by-cortex-xdr%2F)  
[](https://www.linkedin.com/shareArticle?mini=true&url=https%3A%2F%2Fwww.paloaltonetworks.com%2Fblog%2Fsecurity-operations%2Fcve-2022-26134-seen-in-the-wild-by-cortex-xdr%2F&title=CVE-2022-26134+Seen+in+the+Wild+by+Cortex+XDR&summary=&source=)  
[](https://www.paloaltonetworks.com//www.reddit.com/submit?url=https://www.paloaltonetworks.com/blog/security-operations/cve-2022-26134-seen-in-the-wild-by-cortex-xdr/&ts=markdown)  
\[\](mailto:?subject=CVE-2022-26134 Seen in the Wild by Cortex XDR)  
Link copied  
By [Efi Barkayev](https://www.paloaltonetworks.com/blog/author/efi-barkayev/?ts=markdown "Posts by Efi Barkayev") and [Nadav Markus](https://www.paloaltonetworks.com/blog/author/nadav-markus/?ts=markdown "Posts by Nadav Markus")  
Jun 22, 2022  
4 minutes  
[Must-Read Articles](https://www.paloaltonetworks.com/blog/security-operations/category/must-read-articles/?ts=markdown)  
[Use-Cases](https://www.paloaltonetworks.com/blog/security-operations/category/use-cases/?ts=markdown)  
[0-day](https://www.paloaltonetworks.com/blog/tag/0-day/?ts=markdown)  
[Confluence](https://www.paloaltonetworks.com/blog/tag/confluence/?ts=markdown)  
[Cortex XDR for Linux](https://www.paloaltonetworks.com/blog/tag/cortex-xdr-for-linux/?ts=markdown)  
[CVE-2022-26134](https://www.paloaltonetworks.com/blog/tag/cve-2022-26134/?ts=markdown)  
[Deserialization](https://www.paloaltonetworks.com/blog/tag/deserialization/?ts=markdown)  
[java](https://www.paloaltonetworks.com/blog/tag/java/?ts=markdown)  
[Java vulnerabilities](https://www.paloaltonetworks.com/blog/tag/java-vulnerabilities/?ts=markdown)  
[miner](https://www.paloaltonetworks.com/blog/tag/miner/?ts=markdown)  
[OGNL](https://www.paloaltonetworks.com/blog/tag/ognl/?ts=markdown)  
[OGNL injection](https://www.paloaltonetworks.com/blog/tag/ognl-injection/?ts=markdown)  
[Reverse shell](https://www.paloaltonetworks.com/blog/tag/reverse-shell/?ts=markdown)  
[zero-day](https://www.paloaltonetworks.com/blog/tag/zero-day/?ts=markdown)

Nowadays, more and more Java vulnerabilities are being discovered. Exploiting these vulnerabilities can devastate a server, often resulting in remote code execution (RCE) and data leaks. And, since most Java vulnerabilities are logical, weaponizing them can be quite easy, which leads to widespread exploitation.

Cortex XDR for Linux protects against these kinds of exploits, and in the case of CVE-2022-26134, it helped block attacks out of the box without any configuration or content update.

CVE-2022-26134 is an RCE vulnerability, meaning that successful exploitation will result in a fully compromised server with attacker-controlled code running. This article will review some of the exploits and payloads we encountered in the wild and how we managed to stop them.

Atlassian published a [security advisory](https://confluence.atlassian.com/doc/confluence-security-advisory-2022-06-02-1130377146.html) on June 2nd, 2022, regarding the vulnerability used in the wild, and a proof-of-concept (POC) exploit was published soon after. Cortex XDR agent for Linux managed to catch various exploit attempts in the wild without any content changes to our product - even catching attempts on June 3rd, 2022. You can read [here](https://www.paloaltonetworks.com/blog/security-operations/how-cortex-xdr-blocks-log4shell-exploits-with-java-deserialization-exploit-protection/?ts=markdown) for a deeper dive into how our agent can block such exploits, where we detail how the Cortex XDR agent deals with the Log4Shell vulnerability.

Additional information regarding the exploit can be found on [the Unit 42 blog](https://unit42.paloaltonetworks.com/cve-2022-26134-atlassian-code-execution-vulnerability/).

## Root Cause

Rapid7 has a great [technical analysis](https://www.rapid7.com/blog/post/2022/06/02/active-exploitation-of-confluence-cve-2022-26134/) on its blog. In essence, a user-controlled input is passed to the function TextParseUtil::translateVariables, which leads to Object-Graph Navigation Language (OGNL) evaluation which can be leveraged for Java code execution. This is similar to an Apache [Struts vulnerability](https://www.mcafee.com/blogs/other-blogs/mcafee-labs/analyzing-cve-2017-9791-apache-struts-vulnerability-can-lead-remote-code-execution/), where user-controlled input was also passed down to this function.

## In the Wild

During our routine monitoring of Cortex XDR's proprietary Java Anti-Deserialization module for Linux, available since Cortex XDR for Linux version 7.2 and content version 143, we encountered several attempts to execute commands on Confluence servers. It is important to note that the module prevented these commands from being executed, so customer servers were not impacted. It is insightful to explore the commands that attackers attempted to execute.

### Case \#1

We saw many commands of id and whoami, which used the basic exploitation technique, probably to just check whether the server was vulnerable.

![Case 1: Example of how to trigger this basic RCE](https://www.paloaltonetworks.com/blog/wp-content/uploads/2022/06/word-image-37.png)

*Case 1: Example of how to trigger this basic RCE*

We saw the attacker directly invoking Java's infrastructure of executing processes without passing through an intermediary (as we will see in later cases).

### Case \#2

We saw the following commands prevented:

![Case 2: Examples of malicious commands](https://www.paloaltonetworks.com/blog/wp-content/uploads/2022/06/word-image-38.png)

*Case 2: Examples of malicious commands*

This time, as can be seen in this stack trace collected by the Cortex XDR Java Deserialization module for Linux, the attackers chose to utilize Java's built-in Javascript execution engine - [Nashorn](https://docs.oracle.com/javase/8/docs/jdk/api/nashorn/jdk/nashorn/api/scripting/NashornScriptEngine.html).

![Figure 1. Stacktrace that includes Nashorn entries](https://www.paloaltonetworks.com/blog/wp-content/uploads/2022/06/word-image-39.png)

*Figure 1. Stacktrace that includes Nashorn entries*

Some public GitHub repositories with exploit scripts utilize the Nashorn engine for further execution. Unfortunately, the command-and-control (C2) server of the first two attack scenarios is down as of the writing of this blog post, so no further analysis was possible.

Regarding commands three and four, we assume they are part of the same campaign due to the shared IP being used. This campaign dropped XMR miners on the hosts to collect cryptocurrency. Each of these RCE payloads runs a remote script in memory, which downloads and runs another remote script, hxxp://202\[.\]28\[.\]229\[.\]174/ap.sh. Which eventually downloads and runs a variant of XMRig miner and a shell script used as a watchdog for the miner.

### Case \#3

We observed command execution attempts by a malicious actor trying to get a reverse shell:

![Case 3: Attacker’s reverse shell](https://www.paloaltonetworks.com/blog/wp-content/uploads/2022/06/word-image-40.png)

*Case 3: Attacker's reverse shell*

This is a classic TCP reverse shell payload meant to provide the attacker with remote interactive control over the server. Here the attacker used Nashorn as well, and the stack trace is similar to Case #2.

## Cortex XDR for Linux Protection

Cortex XDR employs a multi-layer protection approach to these kinds of attacks and, therefore, can prevent the attack in several stages:

1. Java Anti-Deserialization Module prevents the exploitation attempt ***out of the box*** and ***synchronously***, meaning no configuration changes were required and no malicious commands were executed.
2. Cortex XDR Behavioral Threat Protection and WildFire integration catch the miner execution.
3. There are several Behavioral Threat Prevention rules targeting reverse shell scenarios.

We highly recommend applying the supplied patch by Confluence as soon as possible and having the latest Cortex XDR for Linux agent running with the latest content.

## Appendix - Indicators of Compromise

| IOC Type |                               IOC                                |
|   IPv4   |                    202\[.\]28\[.\]229\[.\]174                    |
|   IPv4   |                     89\[.\]44\[.\]9\[.\]246                      |
|   IPv4   |                     3\[.\]22\[.\]186\[.\]242                     |
|   IPv4   |                    136\[.\]144\[.\]41\[.\]171                    |
|  SHA256  | aaa4aaa14e351350fccbda72d442995a65bd1bb8281d97d1153401e31365a3e9 |
|  SHA256  | 646a2b6b47e1d4355afdc9466770a7aa24370dfa94ff594cf29359b37642658b |
|----------|------------------------------------------------------------------|

*** ** * ** ***

## Related Blogs

### [Must-Read Articles](https://www.paloaltonetworks.com/blog/security-operations/category/must-read-articles/?ts=markdown), [Use-Cases](https://www.paloaltonetworks.com/blog/security-operations/category/use-cases/?ts=markdown)

[#### Battling macOS Malware with Cortex AI](https://www.paloaltonetworks.com/blog/security-operations/battling-macos-malware-with-cortex-ai/)

### [Must-Read Articles](https://www.paloaltonetworks.com/blog/security-operations/category/must-read-articles/?ts=markdown), [Product Features](https://www.paloaltonetworks.com/blog/security-operations/category/product-features/?ts=markdown), [Use-Cases](https://www.paloaltonetworks.com/blog/security-operations/category/use-cases/?ts=markdown)

[#### Cortex ITDR: Cyber Threats in Microsoft Teams and Their Detection](https://www.paloaltonetworks.com/blog/security-operations/cortex-itdr-cyber-threats-in-microsoft-teams-and-their-detection/)

### [Must-Read Articles](https://www.paloaltonetworks.com/blog/security-operations/category/must-read-articles/?ts=markdown), [News and Events](https://www.paloaltonetworks.com/blog/security-operations/category/news-and-events/?ts=markdown), [Product Features](https://www.paloaltonetworks.com/blog/security-operations/category/product-features/?ts=markdown), [Use-Cases](https://www.paloaltonetworks.com/blog/security-operations/category/use-cases/?ts=markdown)

[#### Real-World Email Attacks Detected by Cortex Advanced Email Security](https://www.paloaltonetworks.com/blog/security-operations/real-world-email-attacks-detected-by-cortex-advanced-email-security/)

### [AI and Cybersecurity](https://www.paloaltonetworks.com/blog/security-operations/category/ai-and-cybersecurity/?ts=markdown), [Must-Read Articles](https://www.paloaltonetworks.com/blog/security-operations/category/must-read-articles/?ts=markdown), [Product Features](https://www.paloaltonetworks.com/blog/security-operations/category/product-features/?ts=markdown), [Use-Cases](https://www.paloaltonetworks.com/blog/security-operations/category/use-cases/?ts=markdown)

[#### The Case Files of Detective Aems: A Study in Digital Deduction](https://www.paloaltonetworks.com/blog/security-operations/the-case-files-of-detective-aems-a-study-in-digital-deduction/)

### [AI and Cybersecurity](https://www.paloaltonetworks.com/blog/security-operations/category/ai-and-cybersecurity/?ts=markdown), [Must-Read Articles](https://www.paloaltonetworks.com/blog/security-operations/category/must-read-articles/?ts=markdown), [News and Events](https://www.paloaltonetworks.com/blog/security-operations/category/news-and-events/?ts=markdown), [Product Features](https://www.paloaltonetworks.com/blog/security-operations/category/product-features/?ts=markdown), [Use-Cases](https://www.paloaltonetworks.com/blog/security-operations/category/use-cases/?ts=markdown)

[#### From Silos to Synergy: How Cortex XDL Transforms XDR to Elevate Threat Detection](https://www.paloaltonetworks.com/blog/security-operations/from-silos-to-synergy-how-cortex-xdl-transforms-xdr-to-elevate-threat-detection/)

### [Must-Read Articles](https://www.paloaltonetworks.com/blog/security-operations/category/must-read-articles/?ts=markdown), [Product Features](https://www.paloaltonetworks.com/blog/security-operations/category/product-features/?ts=markdown), [Uncategorized](https://www.paloaltonetworks.com/blog/category/uncategorized/?ts=markdown), [Use-Cases](https://www.paloaltonetworks.com/blog/security-operations/category/use-cases/?ts=markdown)

[#### SCCM: Enterprise Backbone or Attack Vector? Part 2](https://www.paloaltonetworks.com/blog/security-operations/sccm-enterprise-backbone-or-attack-vector-part-2/)

### Subscribe to Security Operations Blogs!

Sign up to receive must-read articles, Playbooks of the Week, new feature announcements, and more.
![spinner](https://www.paloaltonetworks.com/blog/wp-content/themes/panwblog2023/dist/images/ajax-loader.gif) Sign up  
Please enter a valid email.  
By submitting this form, you agree to our [Terms of Use](https://www.paloaltonetworks.com/legal-notices/terms-of-use?ts=markdown) and acknowledge our [Privacy Statement](https://www.paloaltonetworks.com/legal-notices/privacy?ts=markdown). Please look for a confirmation email from us. If you don't receive it in the next 10 minutes, please check your spam folder.  
This site is protected by reCAPTCHA and the Google [Privacy Policy](https://policies.google.com/privacy) and [Terms of Service](https://policies.google.com/terms) apply.  
{#footer} {#footer}

## Products and Services

* [AI-Powered Network Security Platform](https://www.paloaltonetworks.com/network-security?ts=markdown)

* [Secure AI by Design](https://www.paloaltonetworks.com/precision-ai-security/secure-ai-by-design?ts=markdown)

* [Prisma AIRS](https://www.paloaltonetworks.com/prisma/prisma-ai-runtime-security?ts=markdown)

* [AI Access Security](https://www.paloaltonetworks.com/sase/ai-access-security?ts=markdown)

* [Cloud Delivered Security Services](https://www.paloaltonetworks.com/network-security/security-subscriptions?ts=markdown)

* [Advanced Threat Prevention](https://www.paloaltonetworks.com/network-security/advanced-threat-prevention?ts=markdown)

* [Advanced URL Filtering](https://www.paloaltonetworks.com/network-security/advanced-url-filtering?ts=markdown)

* [Advanced WildFire](https://www.paloaltonetworks.com/network-security/advanced-wildfire?ts=markdown)

* [Advanced DNS Security](https://www.paloaltonetworks.com/network-security/advanced-dns-security?ts=markdown)

* [Enterprise Data Loss Prevention](https://www.paloaltonetworks.com/sase/enterprise-data-loss-prevention?ts=markdown)

* [Enterprise IoT Security](https://www.paloaltonetworks.com/network-security/enterprise-device-security?ts=markdown)

* [Medical IoT Security](https://www.paloaltonetworks.com/network-security/medical-device-security?ts=markdown)

* [Industrial OT Security](https://www.paloaltonetworks.com/network-security/medical-device-security?ts=markdown)

* [SaaS Security](https://www.paloaltonetworks.com/sase/saas-security?ts=markdown)

* [Next-Generation Firewalls](https://www.paloaltonetworks.com/network-security/next-generation-firewall?ts=markdown)

* [Hardware Firewalls](https://www.paloaltonetworks.com/network-security/hardware-firewall-innovations?ts=markdown)

* [Software Firewalls](https://www.paloaltonetworks.com/network-security/software-firewalls?ts=markdown)

* [Strata Cloud Manager](https://www.paloaltonetworks.com/network-security/strata-cloud-manager?ts=markdown)

* [SD-WAN for NGFW](https://www.paloaltonetworks.com/network-security/sd-wan-subscription?ts=markdown)

* [PAN-OS](https://www.paloaltonetworks.com/network-security/pan-os?ts=markdown)

* [Panorama](https://www.paloaltonetworks.com/network-security/panorama?ts=markdown)

* [Secure Access Service Edge](https://www.paloaltonetworks.com/sase?ts=markdown)

* [Prisma SASE](https://www.paloaltonetworks.com/sase?ts=markdown)

* [Application Acceleration](https://www.paloaltonetworks.com/sase/app-acceleration?ts=markdown)

* [Autonomous Digital Experience Management](https://www.paloaltonetworks.com/sase/adem?ts=markdown)

* [Enterprise DLP](https://www.paloaltonetworks.com/sase/enterprise-data-loss-prevention?ts=markdown)

* [Prisma Access](https://www.paloaltonetworks.com/sase/access?ts=markdown)

* [Prisma Browser](https://www.paloaltonetworks.com/sase/prisma-browser?ts=markdown)

* [Prisma SD-WAN](https://www.paloaltonetworks.com/sase/sd-wan?ts=markdown)

* [Remote Browser Isolation](https://www.paloaltonetworks.com/sase/remote-browser-isolation?ts=markdown)

* [SaaS Security](https://www.paloaltonetworks.com/sase/saas-security?ts=markdown)

* [AI-Driven Security Operations Platform](https://www.paloaltonetworks.com/cortex?ts=markdown)

* [Cloud Security](https://www.paloaltonetworks.com/cortex/cloud?ts=markdown)

* [Cortex Cloud](https://www.paloaltonetworks.com/cortex/cloud?ts=markdown)

* [Application Security](https://www.paloaltonetworks.com/cortex/cloud/application-security?ts=markdown)

* [Cloud Posture Security](https://www.paloaltonetworks.com/cortex/cloud/cloud-posture-security?ts=markdown)

* [Cloud Runtime Security](https://www.paloaltonetworks.com/cortex/cloud/runtime-security?ts=markdown)

* [Prisma Cloud](https://www.paloaltonetworks.com/prisma/cloud?ts=markdown)

* [AI-Driven SOC](https://www.paloaltonetworks.com/cortex?ts=markdown)

* [Cortex XSIAM](https://www.paloaltonetworks.com/cortex/cortex-xsiam?ts=markdown)

* [Cortex XDR](https://www.paloaltonetworks.com/cortex/cortex-xdr?ts=markdown)

* [Cortex XSOAR](https://www.paloaltonetworks.com/cortex/cortex-xsoar?ts=markdown)

* [Cortex Xpanse](https://www.paloaltonetworks.com/cortex/cortex-xpanse?ts=markdown)

* [Unit 42 Managed Detection \& Response](https://www.paloaltonetworks.com/cortex/managed-detection-and-response?ts=markdown)

* [Managed XSIAM](https://www.paloaltonetworks.com/cortex/managed-xsiam?ts=markdown)

* [Threat Intel and Incident Response Services](https://www.paloaltonetworks.com/unit42?ts=markdown)

* [Proactive Assessments](https://www.paloaltonetworks.com/unit42/assess?ts=markdown)

* [Incident Response](https://www.paloaltonetworks.com/unit42/respond?ts=markdown)

* [Transform Your Security Strategy](https://www.paloaltonetworks.com/unit42/transform?ts=markdown)

* [Discover Threat Intelligence](https://www.paloaltonetworks.com/unit42/threat-intelligence-partners?ts=markdown)

## Company

* [About Us](https://www.paloaltonetworks.com/about-us?ts=markdown)
* [Careers](https://jobs.paloaltonetworks.com/en/)
* [Contact Us](https://www.paloaltonetworks.com/company/contact-sales?ts=markdown)
* [Corporate Responsibility](https://www.paloaltonetworks.com/about-us/corporate-responsibility?ts=markdown)
* [Customers](https://www.paloaltonetworks.com/customers?ts=markdown)
* [Investor Relations](https://investors.paloaltonetworks.com/)
* [Location](https://www.paloaltonetworks.com/about-us/locations?ts=markdown)
* [Newsroom](https://www.paloaltonetworks.com/company/newsroom?ts=markdown)

## Popular Links

* [Blog](https://www.paloaltonetworks.com/blog/?ts=markdown)
* [Communities](https://www.paloaltonetworks.com/communities?ts=markdown)
* [Content Library](https://www.paloaltonetworks.com/resources?ts=markdown)
* [Cyberpedia](https://www.paloaltonetworks.com/cyberpedia?ts=markdown)
* [Event Center](https://events.paloaltonetworks.com/)
* [Manage Email Preferences](https://start.paloaltonetworks.com/preference-center)
* [Products A-Z](https://www.paloaltonetworks.com/products/products-a-z?ts=markdown)
* [Product Certifications](https://www.paloaltonetworks.com/legal-notices/trust-center/compliance?ts=markdown)
* [Report a Vulnerability](https://www.paloaltonetworks.com/security-disclosure?ts=markdown)
* [Sitemap](https://www.paloaltonetworks.com/sitemap?ts=markdown)
* [Tech Docs](https://docs.paloaltonetworks.com/)
* [Unit 42](https://unit42.paloaltonetworks.com/)
* [Do Not Sell or Share My Personal Information](https://panwedd.exterro.net/portal/dsar.htm?target=panwedd)
  ![PAN logo](https://www.paloaltonetworks.com/etc/clientlibs/clean/imgs/pan-logo-dark.svg)
* [Privacy](https://www.paloaltonetworks.com/legal-notices/privacy?ts=markdown)
* [Trust Center](https://www.paloaltonetworks.com/legal-notices/trust-center?ts=markdown)
* [Terms of Use](https://www.paloaltonetworks.com/legal-notices/terms-of-use?ts=markdown)
* [Documents](https://www.paloaltonetworks.com/legal?ts=markdown)

Copyright © 2026 Palo Alto Networks. All Rights Reserved

* [![Youtube](https://www.paloaltonetworks.com/etc/clientlibs/clean/imgs/social/youtube-black.svg)](https://www.youtube.com/user/paloaltonetworks)
* [![Podcast](https://www.paloaltonetworks.com/content/dam/pan/en_US/images/icons/podcast.svg)](https://www.paloaltonetworks.com/podcasts/threat-vector?ts=markdown)
* [![Facebook](https://www.paloaltonetworks.com/etc/clientlibs/clean/imgs/social/facebook-black.svg)](https://www.facebook.com/PaloAltoNetworks/)
* [![LinkedIn](https://www.paloaltonetworks.com/etc/clientlibs/clean/imgs/social/linkedin-black.svg)](https://www.linkedin.com/company/palo-alto-networks)
* [![Twitter](https://www.paloaltonetworks.com/etc/clientlibs/clean/imgs/social/twitter-x-black.svg)](https://twitter.com/PaloAltoNtwks)
* EN  
  Select your language