August 19, 2024 at 03:22PM
CISA warns of critical Jenkins vulnerability (CVE-2024-23897) exploited for remote code execution. Multiple PoCs published online with over 28,000 exposed instances. Trend Micro reports exploitation started in March, with recent breaches affecting Indian banks. CISA orders FCEB agencies to secure servers by September 9, urging all organizations to prioritize fixing flaw due to ransomware threat.
From the meeting notes, it is evident that a critical Jenkins vulnerability, tracked as CVE-2024-23897, has been identified by CISA. This vulnerability allows unauthenticated attackers to exploit the args4j command parser weakness to gain remote code execution and read arbitrary files on the Jenkins controller file system. The flaw has been actively exploited in attacks, with multiple proof-of-concept exploits published online shortly after Jenkins released security updates in January.
The threat monitoring service Shadowserver has found over 28,000 unpatched Jenkins instances exposed to this vulnerability, mainly from China and the United States. Exploitation of CVE-2024-23897 has been witnessed in the wild since March, with reported incidents of threat actors exploiting it to breach IT service providers and organizations such as BORN Group and Brontoo Technology Solutions.
CISA has added this security vulnerability to its Known Exploited Vulnerabilities catalog and issued a binding operational directive (BOD 22-01) requiring Federal Civilian Executive Branch Agencies (FCEB) to secure Jenkins servers on their networks against ongoing exploitation by September 9. Despite the directive being applicable to federal agencies, CISA strongly urged all organizations to prioritize fixing this flaw to mitigate potential ransomware attacks.
In summary, the meeting notes highlight the urgency for organizations, especially federal agencies, to address the CVE-2024-23897 vulnerability in Jenkins to prevent potential security breaches and ransomware attacks.