Jenkins Multiple Vulnerabilities

Release Date: 3 Oct 2025

RISK: Extremely High Risk

TYPE: Servers - Internet App Servers

Multiple vulnerabilities were identified in Jenkins. A remote attacker could exploit some of these vulnerabilities to trigger remote code execution, denial of service condition, spoofing and elevation of privilege on the targeted system.

 

Note:

CVE-2017-1000353 is being exploited in the wild. It is an unauthenticated remote code execution vulnerability allowed attackers to transfer a serialized Java SignedObject object to the Jenkins CLI, that would be deserialized using a new ObjectInputStream, bypassing the existing blacklist-based protection mechanism. Hence, the risk level is rated as Extremely High Risk.

---

Impact

• Remote Code Execution
• Denial of Service
• Spoofing
• Elevation of Privilege

---

System / Technologies affected

• Jenkins 2.56 and earlier
• Jenkins LTS 2.46.1 and earlier

---

Solutions

Before installation of the software, please visit the vendor web-site for more details.

Apply fixes issued by the vendor:

 

• https://www.jenkins.io/security/advisory/2017-04-26/

---

Vulnerability Identifier

• CVE-2017-1000353
• CVE-2017-1000354
• CVE-2017-1000355
• CVE-2017-1000356

---

Source

• Jenkins
• CISA

---

Related Link

• https://www.jenkins.io/security/advisory/2017-04-26/
• https://www.cisa.gov/news-events/alerts/2025/10/02/cisa-adds-five-known-exploited-vulnerabilities-catalog