CISA warns of active exploitation of Jenkins RCE flaw in ransomware attacks

CISA has issued a warning regarding a vulnerability in Jenkins, the popular open-source automation server widely used in software development pipelines.

The flaw, tracked as CVE-2024-23897 (CVSS score 9.8), stems from a weakness in the args4j command parser, which could allow unauthenticated attackers to remotely read arbitrary files on the Jenkins controller's file system via the built-in command line interface (CLI).

The vulnerability affects Jenkins versions 2.441 and earlier, as well as LTS 2.426.2 and earlier.

Since March 2024, attackers have been actively exploiting this vulnerability. The threat actor "IntelBroker" leveraged the flaw to breach IT service provider BORN Group. More recently, the RansomEXX gang exploited CVE-2024-23897 to compromise systems at Brontoo Technology Solutions in late July 2024, causing severe disruptions to retail payment networks in India.

Currently, Shadowserver is monitoring over 28,000 exposed Jenkins instances still vulnerable to CVE-2024-23897, with high concentrations in Asia and the North America. This represents a significant reduction from over 45,000 unpatched servers detected earlier this year, but the remaining attack surface is still large enough to pose a critical risk, particularly for organizations that have not applied the available patches.

CISA has added CVE-2024-23897 to its Known Exploited Vulnerabilities (KEV) catalog, urging organizations to prioritize remediation. Federal Civilian Executive Branch Agencies (FCEB) are required to secure their Jenkins servers by September 9, 2024, under the binding operational directive (BOD 22-01).