A critical vulnerability in the open source automation server Jenkins is still being actively exploited seven months after it was first disclosed.

Jenkins is a 20-year-old, open-source, extensible tool that software developers use to build, test, and deploy applications during continuous integration and continuous delivery (CI/CD). It reached 300,000 known installations in 2022, which, according to the developersmaking it the most popular automation server in the world.

In January, the Jenkins team disclosed a vulnerability in the command line interface (CLI) path traversal that could allow unauthenticated attackers to read arbitrary files on the controller file system. Although the issue was read-only, it could allow an attacker to collect cryptographic keys useful for escalating privileges and ultimately gaining code execution privileges. The issue, dubbed CVE-2024-23897, was given a “critical” rating of 9.8 out of 10 by the Common Vulnerability Scoring System (CVSS).

“If your Jenkins is compromised, that’s a big problem because Jenkins is at the core of your enterprise software,” explains Yaniv Nizry, vulnerability researcher for Sonar, which first discovered the bug. “Attackers can sneak into production or inject their code, and there are a lot of ways they can use it to get a bigger foothold. It can be very devastating.”

And it’s still being actively exploited, according to the Cybersecurity and Infrastructure Security Agency (CISA), which added the flaw to its list of vulnerabilities this week. Catalog of Known Exploited Vulnerabilities (KEV)At-risk Federal Civilian Executive Branch (FCEB) agencies now have two weeks to resolve the issue.

The damage already done by CVE-2024-23897

The day it disclosed its vulnerability to the public, the Jenkins development team released a security solution together with detailed information on eight possible exploitation options.

Many developers apparently did not implement the fix. Five days after the news broke, the Shadowserver Foundation counted 45,000 exposed cases on six continents.

Source: The Shadowserver Foundation

Both white hat and black hat hackers immediately began testing some of the exploits Jenkins described in his advisory. Evidence of exploitation occurred within 24 hours of the news breaking. After 48 hours, multiple, working Proofs of compromise (PoC) were made public on the web, allowing hackers to abuse publicly discoverable Jenkins instances with minimal effort.

Two months later, Trend Micro found evidence of CVE-2024-23897 exploits being executed bought and sold among threat actors. By then, hundreds of related attacks had hit targets primarily in South Africa, according to Shadowserver data.

Since then, there have been more attacks of greater magnitude. In the summer, IntelBroker used CVE-2024-23897 to obtain credentials, which it then used to breach a GitHub corporate accountgain access to private repositories and steal source code and other sensitive and proprietary data hosted there. RansomExx then abused it to lock down IT systems at digital payments provider Brontoo Technology Solutions, which is a ripple effect on Indian banks.

As Nizry points out, there’s no good reason why Jenkins users wouldn’t have a patch installed already, or wouldn’t update immediately if they haven’t already.

“It’s something that happens quite often in security research: if you use a third-party package, it can have a huge impact, especially if it’s an old package. Maybe it had a useful feature in the past, and now that feature can suddenly become a security problem,” he says.