"Microsoft said it observed in-the-wild abuse of the maximum rated 10.0 vulnerability, tracked as CVE-2023-22515, since September 14, some three weeks before Atlassian’s public disclosure on October 4. A bug is considered a zero-day when the vendor — in this case Atlassian — has zero time to fix the bug before it is exploited."

Archive link: https://archive.ph/UfFlz

Slashdot discussion: https://it.slashdot.org/story/23/10/11/1843211/state-backed-...

Atlassian advisory: https://confluence.atlassian.com/security/cve-2023-22515-pri... (https://archive.ph/YBv5a)