You are currently viewing 15000 Jenkins Servers Exposed to Unauthenticated RCE Attack

15000 Jenkins Servers Exposed to Unauthenticated RCE Attack

  • Post author:
  • Reading time:3 mins read

A recently identified command injection vulnerability, CVE-2025-53652, in the Jenkins Git Parameter plugin puts approximately 15,000 Jenkins servers at risk of remote code execution (RCE). This flaw could allow attackers to compromise unauthenticated Jenkins servers, potentially leading to significant security breaches.

Root Cause

The vulnerability stems from the way the Git Parameter plugin handles user-provided information. Specifically, the plugin uses user-entered values directly in commands without properly sanitizing them. This lack of input validation allows a skilled attacker to inject malicious commands into the system.

Jenkins is a widely used open-source automation server that streamlines software development processes. The Git Parameter plugin enhances Jenkins’ functionality by allowing developers to easily select and utilize different versions or branches of code within their automated tasks. However, the unsafe handling of user inputs in this plugin creates a significant security risk.

Impact & Exploit Potential

Successful exploitation of CVE-2025-53652 can lead to remote code execution (RCE), allowing attackers to gain complete control over vulnerable Jenkins servers. VulnCheck’s team demonstrated this by running their code on a test server and accessing sensitive information, including a master key.

The potential impact is substantial, especially given that approximately 15,000 Jenkins servers have their security settings turned off, making them easier targets. While VulnCheck suggests that widespread exploitation is unlikely, they caution that this type of vulnerability is highly valued by skilled attackers for targeted attacks or for gaining deeper access into a company’s network.

Tactics, Techniques, and Procedures (TTPs)

The exploitation of this vulnerability involves specific tactics and techniques as defined by the MITRE ATT&CK framework:

  • TA0002 – Execution: Attackers exploit the command injection vulnerability to execute arbitrary commands on the Jenkins server.
  • T1059 – Command Injection: Attackers inject malicious commands into the system through unsanitized user inputs processed by the Git Parameter plugin.

Mitigation & Recommendations

To mitigate the risk posed by CVE-2025-53652, consider the following recommendations:

  • Apply the patch: Ensure that the latest version of the Jenkins Git Parameter plugin is installed to address the command injection flaw.
  • Verify patch status: Even with the patch applied, verify that it has not been manually disabled by a system administrator. The patch can reportedly be disabled, leaving the server vulnerable.
  • Implement detection rules: Utilize detection rules to identify and monitor any attempts to exploit this vulnerability.
  • Enable authentication: Ensure that authentication is enabled on Jenkins servers to prevent unauthorized access. According to VulnCheck’s report, a significant number of Jenkins servers have authentication turned off, making them easier targets.

Instantly Fix Risks with Saner Patch Management

Saner patch management is a continuous, automated, and integrated software that instantly fixes risks exploited in the wild. The software supports major operating systems like Windows, Linux, and macOS, as well as 550+ third-party applications.

It also allows you to set up a safe testing area to test patches before deploying them in a primary production environment. Saner patch management additionally supports a patch rollback feature in case of patch failure or a system malfunction.

Experience the fastest and most accurate patching software here.