# CVE-2021-26084 Remote Code Execution on Confluence Servers
We got this vulnerability in our Twitter feed via Matthias's tweet:
This looked like a great target for bug bounties as such we started to reverse the patch. So we reversed it and poped a shell.
## Analyzing the hot patch
Generally, you’d do a diff between patched and unpatched versions to look for changed files but in this case, Atlassian made it easier by providing a shell script that patched the installation.
While going through the advisory we found that a [hotfix](https://confluence.atlassian.com/doc/files/1077906215/1077916296/2/1629936383093/cve-2021-26084-update.sh) was released by Atlassian for this CVE.
Looking at the shell script it was clear that there were a few `*.vm` files that were modified with a bit of string match and replace which implied the vulnerability should lie somewhere inside them.
We quickly grabbed the unpatched version (7.12.4) of Confluence Server, unzipped and to be just sure that we understood the patch correctly, we created a copy of the confluence server and applied the patch script on that copy.
This file has been truncated. show original
