15,000 Jenkins Servers at Risk from RCE Vulnerability (CVE-2025-53652)

A new report by VulnCheck exposes a critical command injection flaw (CVE-2025-53652) in the Jenkins Git Parameter plugin. Find out how this vulnerability, initially rated as medium, could allow hackers to achieve remote code execution and compromise thousands of unauthenticated Jenkins servers.

A new security analysis from the firm VulnCheck has revealed that a vulnerability in the popular Jenkins automation server is more dangerous than previously thought. The flaw, officially identified as CVE-2025-53652, was initially rated as a medium-level threat but has been found to allow for a severe type of attack known as command injection. This could potentially let hackers take complete control of a server.

For your information, Jenkins is a powerful open-source tool companies use for automating tasks in software development. The vulnerability specifically affects a feature called the Git Parameter plugin, which is used to allow developers to easily select and use different versions or branches of code directly within their automated tasks.

According to VulnCheck’s report, shared with Hackread.com, around 15,000 Jenkins servers on the internet currently have their security settings turned off, making them easy targets for this kind of attack.

Of the more than 100,000 internet-facing Jenkins servers, 15,000 have authentication turned off- FOFA (Source: VulnCheck)

The problem lies in how the Git Parameter plugin handles information given to it by users. When a user enters a value, the plugin uses it directly in a command without properly checking if it’s safe. This allows a skilled attacker to inject malicious commands into the system.

VulnCheck’s team confirmed that they could use this flaw to run their own code on the server, a dangerous type of attack called remote code execution (RCE). They were able to use this method to gain control of a test server and even access sensitive information, such as a master key.

Even though the official fix for the vulnerability has been released, VulnCheck warns that the patch can be manually disabled by a system administrator. This means that a server could still be vulnerable even if it has been updated. As a result, the security firm has created a special rule to help companies detect any attempts to exploit this weakness.

While the firm doesn’t believe the flaw will be widely exploited, they note that it’s the kind of weakness that skilled attackers value for specific, targeted attacks or for moving deeper into a company’s network.