Thousands of Jenkins instances exposed following attack

A padlock resting on a keyboard.
(Image credit: Passwork)

Tens of thousands of Jenkins servers are vulnerable to a high-severity bug that allows threat actors to run malicious code on the endpoints, remotely. 

The project recently released two patches addressing the vulnerability, and are urging users to apply them immediately and avoid unnecessary risk.

Jenkins is an open source automation server for CI/CD, with which developers can build, test, and deploy various processes.

No evidence of abuse (yet)

Last week, the project released versions 2.442, and LTS 2.426.3, which address an arbitrary file read vulnerability tracked as CVE-2024-23897. This vulnerability, BleepingComputer reports, already has multiple proof-of-concept (PoC) exploits in the wild. As per the advisory released with the patches, the problem is in the command-line interface, which automatically replaces the @ character followed by a file path, with the contents of the file. This feature is turned on by default, it was added. 

Hackers can abuse it for a number of things, from accessing sensitive information such as secrets, to running malicious code on vulnerable endpoints. They could also delete files from Jenkins servers and download Java heap dumps. 

As per a Shadowserver scan, there are roughly 45,000 unpatched Jenkins servers that could be potential targets. The majority of these endpoints is located in China (12,000), followed by the United States (11,830), Germany (3,060), India (2,681), France (1,431), and the UK (1,029). Researchers are saying that there are multiple PoCs already circulating on the internet, but it’s unclear if any threat actors picked up on them or tried to use them in any of their campaigns.

BleepingComputer says that some Jenkins honeypots did observe activities “resembling genuine exploitation attempts”, although the evidence seems to be inconclusive. 

Given the severity of the flaw, IT admins are advised to apply the patch as soon as possible. Those that are unable to do so should reach out to the Jenkins project for recommendations and workarounds.

More from TechRadar Pro

Sead is a seasoned freelance journalist based in Sarajevo, Bosnia and Herzegovina. He writes about IT (cloud, IoT, 5G, VPN) and cybersecurity (ransomware, data breaches, laws and regulations). In his career, spanning more than a decade, he’s written for numerous media outlets, including Al Jazeera Balkans. He’s also held several modules on content writing for Represent Communications.

Read more
Computer Hacked, System Error, Virus, Cyber attack, Malware Concept. Danger Symbol
Veeam urges users to patch security issues which could allow backup hacks
A person's fingers type at a keyboard, with a digital security screen with a lock on it overlaid.
Veeam backup software has a serious security flaw - here's how to stay safe
Laptop computer displaying logo of WordPress, a free and open-source content management system (CMS)
Another serious WordPress plugin vulnerability could put 40,000 sites at risk of attack
China
Juniper patches security flaws which could have let hackers take over your router
Avast cybersecurity
Hackers are hijacking government software to access sensitive servers
A stylized depiction of a padlocked WiFi symbol sitting in the centre of an interlocking vault.
Top file synchronization tool Rsync security flaws mean up to 660,000 servers possibly affected
Latest in Security
China
Notorious Chinese hackers FamousSparrow allegedly target US financial firms
A digital representation of a lock
NYU website defaced as hacker leaks info on a million students
NHS
NHS IT supplier hit with major fine following ransomware attack
A digital representation of blockchain.
Malicious npm packages use devious backdoors to target users
Data leak
Top home hardware firm data leak could see millions of customers affected
Representational image depecting cybersecurity protection
Third-party security issues could be the biggest threat facing your business
Latest in News
Shigeru Miyamoto presents Nintendo Today app
Nintendo Today smartphone app announced, available today on iOS and Android devices – and here's what it does
Nintendo Virtual Game Card
Nintendo reveals the new Virtual Game Card feature, an easier way to manage your digital Switch games
Nintendo Switch 2
The Nintendo Switch 2 pre-order date has seemingly been confirmed by Best Buy Canada – here's when you'll be able to order yours
Person printing
Microsoft’s latest Windows 11 update exorcises possessed printers that spewed out pages of random characters
Pro-Ject A1.2 in black, playing a vinyl record in a hi-fi listening room
Pro-Ject's new fully-automatic turntable could be the buy of Record Store Day 2025
Intergalactic: The Heretic Prophet
Intergalactic: The Heretic Prophet reportedly won't release until after 2026, as Neil Druckmann says that staff 'are playing it at the office' right now - but I don't think I can wait that long