Thousands of Jenkins instances exposed following attack

A padlock resting on a keyboard.
(Image credit: Passwork)

Tens of thousands of Jenkins servers are vulnerable to a high-severity bug that allows threat actors to run malicious code on the endpoints, remotely. 

The project recently released two patches addressing the vulnerability, and are urging users to apply them immediately and avoid unnecessary risk.

Jenkins is an open source automation server for CI/CD, with which developers can build, test, and deploy various processes.

No evidence of abuse (yet)

Last week, the project released versions 2.442, and LTS 2.426.3, which address an arbitrary file read vulnerability tracked as CVE-2024-23897. This vulnerability, BleepingComputer reports, already has multiple proof-of-concept (PoC) exploits in the wild. As per the advisory released with the patches, the problem is in the command-line interface, which automatically replaces the @ character followed by a file path, with the contents of the file. This feature is turned on by default, it was added. 

Hackers can abuse it for a number of things, from accessing sensitive information such as secrets, to running malicious code on vulnerable endpoints. They could also delete files from Jenkins servers and download Java heap dumps. 

As per a Shadowserver scan, there are roughly 45,000 unpatched Jenkins servers that could be potential targets. The majority of these endpoints is located in China (12,000), followed by the United States (11,830), Germany (3,060), India (2,681), France (1,431), and the UK (1,029). Researchers are saying that there are multiple PoCs already circulating on the internet, but it’s unclear if any threat actors picked up on them or tried to use them in any of their campaigns.

BleepingComputer says that some Jenkins honeypots did observe activities “resembling genuine exploitation attempts”, although the evidence seems to be inconclusive. 

Given the severity of the flaw, IT admins are advised to apply the patch as soon as possible. Those that are unable to do so should reach out to the Jenkins project for recommendations and workarounds.

More from TechRadar Pro

Sead is a seasoned freelance journalist based in Sarajevo, Bosnia and Herzegovina. He writes about IT (cloud, IoT, 5G, VPN) and cybersecurity (ransomware, data breaches, laws and regulations). In his career, spanning more than a decade, he’s written for numerous media outlets, including Al Jazeera Balkans. He’s also held several modules on content writing for Represent Communications.