Bitbucket Server - RCE (CVE-2022-36804)

CVE-2022-36804 is a high-severity vulnerability in Atlassian Bitbucket Server and Data Center that allows remote attackers with read access to a repository to execute arbitrary code by sending specially crafted HTTP requests. This flaw could be exploited to compromise the integrity, confidentiality, and availability of affected Bitbucket instances, potentially leading to full system takeover or data breaches.

CrowdSec has been tracking this vulnerability and its exploits since 24th of July 2025.

Based on data from the CrowdSec network, nearly all observed exploitation of CVE-2022-36804 is fully opportunistic, with attackers indiscriminately scanning the entire internet. These attacks are automated and lack any form of target selection or reconnaissance. Telemetry from the CrowdSec network also shows that exploitation activity for CVE-2022-36804 remains steady week-over-week. Attack volumes are consistent with long-term trends, indicating sustained interest from threat actors. CVE-2022-36804 continues to be an active part of the threat landscape and will likely remain this way for the forseeable future.

Attackers exploit Bitbucket's archive API endpoint by injecting command execution payloads into the prefix parameter, allowing remote code execution on the server. The attack targets URLs like /rest/api/latest/projects/<key>/repos/<slug>/archive with crafted query strings.