A brand new report by VulnCheck exposes a crucial command injection flaw (CVE-2025-53652) within the Jenkins Git Parameter plugin. Learn how this vulnerability, initially rated as medium, might enable hackers to realize distant code execution and compromise hundreds of unauthenticated Jenkins servers.
A brand new safety evaluation from the agency VulnCheck has revealed {that a} vulnerability within the fashionable Jenkins automation server is extra harmful than beforehand thought. The flaw, formally recognized as CVE-2025-53652, was initially rated as a medium-level risk however has been discovered to permit for a extreme sort of assault often called command injection. This might doubtlessly let hackers take full management of a server.
To your data, Jenkins is a robust open-source software corporations use for automating duties in software program improvement. The vulnerability particularly impacts a characteristic known as the Git Parameter plugin, which is used to permit builders to simply choose and use totally different variations or branches of code immediately inside their automated duties.
In keeping with VulnCheck’s report, shared with Hackread.com, round 15,000 Jenkins servers on the web at the moment have their safety settings turned off, making them simple targets for this type of assault.
The issue lies in how the Git Parameter plugin handles data given to it by customers. When a person enters a worth, the plugin makes use of it immediately in a command with out correctly checking if it’s secure. This enables a talented attacker to inject malicious instructions into the system.
VulnCheck’s crew confirmed that they may use this flaw to run their very own code on the server, a harmful sort of assault known as distant code execution (RCE). They had been ready to make use of this methodology to achieve management of a check server and even entry delicate data, reminiscent of a grasp key.
Regardless that the official repair for the vulnerability has been launched, VulnCheck warns that the patch could be manually disabled by a system administrator. Which means a server might nonetheless be weak even when it has been up to date. In consequence, the safety agency has created a particular rule to assist corporations detect any makes an attempt to take advantage of this weak point.
Whereas the agency doesn’t imagine the flaw can be extensively exploited, they word that it’s the sort of weak point that expert attackers worth for particular, focused assaults or for shifting deeper into an organization’s community.
