August 20, 2024Ravie LakshmananVulnerability / Ransomware

The U.S. Cybersecurity and Infrastructure Security Agency (CISA) has added a critical security flaw affecting Jenkins to its catalog of known exploitable vulnerabilities (KEV) after it was exploited in ransomware attacks.

The vulnerability, registered as CVE-2024-23897 (CVSS score: 9.8), is a flaw in the path traversal process that could lead to code execution.

“The Jenkins Command Line Interface (CLI) contains a vulnerability in the path traffic that could give attackers limited read permissions to certain files, potentially leading to code execution,” CISA said in a statement.

It was first disclosed by security researchers at Sonar in January 2024 and addressed in Jenkins versions 2.442 and LTS 2.426.3 by disabling the command parser feature.

Trend Micro reported in March that it had discovered multiple attack samples originating from the Netherlands, Singapore and Germany. It also found instances where remote code execution exploits for the vulnerability were being actively traded.

In recent weeks, CloudSEK and Juniper Networks revealed real-world attacks where CVE-2024-23897 was abused in the wild to infiltrate the companies BORN Group and Brontoo Technology Solutions.

The attacks are attributed to cybercriminals IntelBroker and the RansomExx ransomware gang respectively.

“CVE-2024-23897 is an unauthenticated LFI vulnerability that allows attackers to read arbitrary files on the Jenkins server,” CloudSEK said. “This vulnerability exists due to improper input validation, allowing attackers to manipulate specific parameters and trick the server into accessing and displaying the contents of sensitive files.”

Given the active exploitation of the vulnerability, Federal Civilian Executive Branch (FCEB) agencies have until September 9, 2024, to implement the fixes and secure their networks against active threats.