Home / Blog / Data Recovery

Confluence resilience in a ransomware era: the CVE-2023-22518 lesson

Rewind | Last updated on May 1, 2026 | 5 minute read

Picture the 4 AM page: A Confluence admin opens the laptop and finds a ransom note pinned to the top of the company wiki. Every space is locked. Years of runbooks and institutional memory sit on the other side of that note.

That scenario is not hypothetical. On October 31, 2023, Atlassian disclosed CVE-2023-22518, an Improper Authorization flaw in Confluence Data Center and Server. A CVE is a Common Vulnerabilities and Exposures ID, the industry’s shared label for a specific security bug. This one carried a CVSS score of 10.0 per Atlassian, the naming authority for the record, and 9.8 on the National Vulnerability Database’s CVSS v3.1 scale. CVSS is the Common Vulnerability Scoring System, a 0 to 10 severity rating where 10 is as critical as it gets. Cloud instances were not affected. Three days later, Cerber ransomware, also tracked as C3RB3R, began exploiting the flaw in the wild. CISA gave federal agencies until November 28 to patch.

Cloud admins read the advisory and exhaled. Then the smart ones got nervous. The lesson was never “this specific CVE hit us.” The lesson was that Confluence is a live ransomware target, and the resilience posture has to assume that.

The retention question nobody asks until audit week

The trigger is usually an email from an auditor. “Can you produce the version of this page as it existed on March 4?” If that date sits inside 30 days, most teams can answer. If it sits outside 30 days, the answer becomes “we will get back to you.”

Confluence Cloud retention is often misunderstood. Deleted pages stay in the space trash indefinitely until someone manually purges them. Deleted spaces are automatically purged after 60 days, a policy Atlassian introduced on January 6, 2025. There is no 30-day automatic purge for deleted pages in Cloud. That was a Data Center and Server behavior.

Atlassian Backup and Restore gives Premium and Enterprise customers a 24-hour recovery point objective, a 12-hour recovery time objective, and 30 days of retention, up to 32 GB of app data and 7 million attachments per Confluence site. Full-instance scope only. If your longest audit cycle runs 90 days, 180 days, or seven years, 30 days is not a retention posture.

Why the ransomware framing matters for Cloud admins

Attackers know where the backups live. In 94% of ransomware attacks, they attempted to compromise the victim’s backups during the attack (Sophos, 2024 State of Ransomware). A backup that shares the same surface as the primary system shares its blast radius.

The background noise supports the point. 87% of IT professionals reported SaaS data loss in 2024, with malicious deletions as the leading cause (Kaseya, 2025 State of Backup and Recovery Report, n=3,000 plus). 68% of breaches involve a non-malicious human element, a person making an error or falling for social engineering (Verizon 2024 DBIR).

When Confluence goes down, the damage spreads fast. Productivity drops for 77.4% of teams. Team stress hits 77.4%. Internal reputation suffers for 41.9% (Rewind SaaS Resilience Report, Q4 2025). Only 29% of organizations have a defined RTO for Confluence.

The regulatory weight behind the recovery plan

A Confluence outage is not just an internal problem. Several frameworks treat recoverability as a control:

  • GDPR Article 32(1)(c) calls for “the ability to restore the availability and access to personal data in a timely manner in the event of a physical or technical incident.”
  • GDPR Article 33 requires breach notification within 72 hours of becoming aware.
  • GDPR Article 83 caps fines at EUR 10 million or 2% of worldwide turnover (Tier 1), and EUR 20 million or 4% (Tier 2), whichever is higher.
  • NIS2 (Directive 2022/2555), Article 34 sets maximum fines for essential entities at EUR 10 million or 2% of turnover, and EUR 7 million or 1.4% for important entities.
  • DORA (Regulation 2022/2554) has applied since January 17, 2025 to about 22 types of EU financial entities and critical ICT third-party providers. Article 12 governs ICT continuity and backup.
  • HIPAA Security Rule at 45 CFR 164.308(a)(7) mandates a Data Backup Plan, a Disaster Recovery Plan, and an Emergency Mode Operation Plan. The 2026 civil penalty tiers took effect January 28, 2026, starting at $145 per violation and capping at $2,190,294 annually.
  • SEC Rule 17a-4 obligates broker-dealers to preserve specified records for three to six years. JP Morgan paid $125 million to the SEC in December 2021 for widespread off-channel recordkeeping failures.

The first hour, if it happens to you

When the page fires, the first sixty minutes set the shape of the recovery.

  1. Isolate affected spaces. Confirm the scope.
  2. Open incident response. Start the legal clock inside the 72-hour GDPR window if personal data was touched.
  3. Identify the cleanest pre-incident recovery point.
  4. Confirm the recovery surface is independent of the compromised surface.
  5. Begin item-level or space-level restore to a clean state.

What independent architecture is actually for

Rewind is a SaaS resilience platform built on independent architecture, not a plugin, that keeps your data accessible even if the SaaS vendor is compromised. That separation is the whole point when attackers are targeting backups 94% of the time.

Rewind is an Atlassian Silver Marketplace Partner, Cloud Fortified for Jira and Confluence, and the most-downloaded Jira and Confluence backup app on the Atlassian Marketplace. More than 25,000 organizations trust Rewind.

Three capabilities matter for the ransomware scenario. Item-level restore lets you recover a single page, file, or configuration without affecting the rest of the instance. Cross-instance restore lets you recover to a completely different account, which is critical for failover, staging, sandbox seeding, and emergency fallback. And failover-ready capabilities give platform teams predefined options that keep humans in control while minimizing disruption.

Hot Standby for Jira is scheduled for Q2 2026 and Pilot Light for Jira is scheduled for Q3 2026. Both are publicly announced. Timelines are subject to change. The Jira failover work is the pattern that informs resilience thinking for Confluence too.

Florian Polterauer, Head of IT at Global Rail Group, put the governance stakes plainly: “Confluence is the heart of our organization. It contains all the knowledge that we collect and produce. Losing it would be a disaster. Years of knowledge are in Confluence, and it would all be gone.”

Five questions to bring to your platform team

  1. Is our Confluence recovery path independent of the Confluence surface?
  2. Do we have item-level restore for audit response?
  3. Does our retention window cover our longest audit cycle?
  4. Do we have a tested cross-instance restore path?
  5. Is our incident response posture inside the 72-hour GDPR notification window?

Score each green, amber, or red. Bring the reds to your governance lead this quarter.

See how independent architecture protects Confluence through ransomware scenarios at rewind.com/confluence.

Profile picture of <a class=Rewind">
Rewind
Rewind is a leading and trusted provider of cloud backup and data recovery solutions, helping businesses safeguard their critical SaaS data from loss, corruption, and cyber threats.