Some 45,000 Internet-exposed Jenkins servers remain unpatched against a critical, recently disclosed arbitrary file-read vulnerability for which proof-of-exploit code is now publicly available.

CVE-2024-23897 affects the built-in Jenkins command line interface (CLI) and can lead to remote code execution on affected systems. The Jenkins infrastructure team disclosed the vulnerability, and released updated version software, on Jan. 24.

Proof-of-Concept Exploits

Since then, proof-of-concept (PoC) exploit code has become available for the flaw and there are some reports of attackers actively attempting to exploit it. On Jan. 29, the nonprofit ShadowServer organization, which monitors the Internet for malicious activity, reported observing around 45,000 Internet-exposed instances of Jenkins that are vulnerable to CVE-2024-23897. Nearly 12,000 of the vulnerable instances are located in the US; China has almost as many vulnerable systems, according to ShadowServer data.