The US Cybersecurity and Infrastructure Security Agency (CISA) has added a high-risk vulnerability affecting Jenkins, a widely-used open-source automation server, to its Known Exploited Vulnerabilities Catalog (KEV).
The flaw, tracked as CVE-2024-23897, is an improper access control issue, which exists due to the affected application does not disable a feature of its CLI command parser that replaces an "@" character followed by a file path in an argument with the file’s contents. A remote attacker can read arbitrary files on the Jenkins controller file system, leading to arbitrary code execution.
Jenkins developers released patches to address the bug in January 2024. Shortly after, multiple proof-of-concept (PoC) exploits emerged online, with exploitation attempts being reported just one day later.
In March, Trend Micro reported exploitation attempts against CVE-2024-23897, and in July, cybersecurity firm CloudSEK observed the exploitation of the vulnerability by the IntelBroker threat actors. The group allegedly exploited the flaw to compromise IT service provider BORN Group.
Earlier this month, networking company Juniper Networks reported that the RansomEXX ransomware gang exploited CVE-2024-23897 to breach the systems of Brontoo Technology Solutions, an Indian technology services provider catering to banks. The attack resulted in widespread disruptions to retail payment systems across India.
That being said, organizations that have yet to update their Jenkins instances are strongly advised to do so as soon as possible.