Critical, Actively Exploited Jenkins RCE Bug Suffers Patch Lag

A 7-month-old bug in an OSS CI/CD server is still being actively exploited, thanks to spotty patching, CISA warns.

A critical vulnerability in the Jenkins open source automation server is still being actively exploited seven months after its initial disclosure.
Jenkins is a two-decades-old, open source extensible tool, which software developers use to build, test, and deploy applications during continuous integration and continuous delivery (CI/CD). It reached 300,000 known installations in 2022, which,
according to its developers
, made it the worlds most popular automation server.
Back in January, the Jenkins team revealed a command line interface (CLI) path traversal vulnerability that could allow unauthorized attackers to read arbitrary files on its controller file system. Though read-only in nature, the issue could allow an attacker to glean cryptographic keys helpful in escalating privileges and eventually gaining code execution privileges. Labeled CVE-2024-23897, it earned a critical 9.8 out of 10 score in the Common Vulnerability Scoring System (CVSS).
If your Jenkins is compromised, its quite a big deal, because Jenkins is at the core of your business software, explains Yaniv Nizry, vulnerability researcher for Sonar, who was first to discover the bug. Attackers can sneak themselves into production, or inject their code, and there are many ways they can use it to get a further foothold. It could be very devastating.
And it remains under active exploitation today, according to the Cybersecurity and Infrastructure Security Agency (CISA), which this week added the flaw to its
Known Exploited Vulnerabilities (KEV) catalog
. Federal Civilian Executive Branch (FCEB) agencies at risk now have two weeks to remediate.
The day it disclosed its vulnerability to the public, the Jenkins development team released a
security fix
along with detailed information about eight potential paths of exploitation.
Many developers, it seems, didnt implement the fix. Five days after the news broke, the Shadowserver Foundation counted
45,000 exposed instances across six continents
.
White- and black-hat hackers alike immediately began testing out some of the exploits Jenkins outlined in its advisory.
Evidence of exploitation
arose within 24 hours after the news dropped. After 48 hours,
multiple
,
working
proofs of compromise (PoC) were made available on the public Web, allowing hackers to exploit any publicly discoverable Jenkins instances with minimal effort.
Two months later, Trend Micro found evidence that CVE-2024-23897 exploits were being
bought and sold
among threat actors. By that time, according to Shadowserver data, hundreds of related attacks had struck targets primarily concentrated in South Africa.
More attacks of a larger scale have occurred since. Over the summer,
IntelBroker
used CVE-2024-23897 to obtain credentials, which it then used to
breach a corporate GitHub account
, access private repositories, and steal the source code and other sensitive and proprietary data hosted there. Then, RansomExx exploited it to lock up IT systems at the digital payments provider Brontoo Technology Solutions, which had a
ripple effect across Indian banks
.
As Nizry emphasizes, there is no good reason why Jenkins users should not have patched already, or shouldnt patch immediately if they havent yet.
Its something quite recurring in security research — that when you use a third-party package, it could have a really huge impact, especially if its an old one, he says. Maybe it had some useful feature in the past, and now, suddenly, that feature can become a security issue.

Last News
▸ ArcSight prepares for future at user conference post HP acquisition. ◂ Discovered: 07/01/2025 Category: security	▸ Samsung Epic 4G: First To Use Media Hub ◂ Discovered: 07/01/2025 Category: security	▸ Many third-party software fails security tests ◂ Discovered: 07/01/2025 Category: security

**Cyber Security Categories**
Google Dorks Database	Exploits Vulnerability	Exploit Shellcodes

CVE List

Tools/Apps

News/Aarticles

Phishing Database

Deepfake Detection

Trends/Statistics & Live Infos

Tags:
Critical, Actively Exploited Jenkins RCE Bug Suffers Patch Lag