There are many exploits being used to test the critical vulnerability of Jenkins, which allows attackers to read arbitrary files. These exploits have become publicly accessible and cybercriminals are already taking advantage of these weaknesses.
On January 24, 2024, Jenkins released fixes for 9 vulnerabilities in their security system. They also provided recommendations that outline different attack scenarios and operations. Additionally, they described the fixes and possible workarounds for those who cannot immediately update their systems.
One particularly significant vulnerability that was addressed is CVE-2024-23897. This vulnerability enables remote code execution and allows attackers to read arbitrary files in the Jenkins controller file system.
Security researchers who have extensive knowledge about Jenkins’ weaknesses have been able to recreate certain attack scenarios. They have also created Proof-OF-Concept (POC) demonstrations for the disclosed vulnerability, which have been published on various platforms, including Github (1 and 2). The functioning of these POCs has already been verified, indicating that attackers who scan open servers are actively attempting the attack scenarios.
Some researchers have reported that their Jenkins servers have already been targeted, indicating that hackers have begun to exploit these vulnerabilities.