According to Huntress Labs, a Shodan search for “Confluence” shows that there are over 200,000 results, and searches for the Confluence favicon show over 5,000 results. While these numbers don’t indicate the exact number of vulnerable instances, they do highlight how many are exposed to the internet. The task of filtering out the number of potential Confluence servers to determine the real impact of vulnerabilities is not easy, but it is crucial for understanding the potential threat. The article also mentions that a vulnerability affecting Atlassian Confluence has appeared multiple times on the CISA KEV list, indicating the need to remove Confluence servers from the internet. However, there are many honeypots that make it difficult to identify real servers. The article discusses different attempts to filter out honeypots and provides a possible count of real Confluence hosts, which is significantly smaller than the number of honeypots. It emphasizes the importance of accurately determining the number of potentially impacted hosts to avoid overestimating the impact of vulnerabilities. The problem of honeypots not only complicates defenders’ understanding of attack surfaces but also affects attackers’ ability to target real servers. Overall, the article highlights the challenge of filtering out honeypots and
https://vulncheck.com/blog/too-many-honeypots