Connect with us

Hi, what are you looking for?



45,000 Exposed Jenkins Instances Found Amid Reports of In-the-Wild Exploitation

Shadowserver Foundation has seen 45,000 Jenkins instances affected by CVE-2024-23897, which may already be exploited in attacks.

The Shadowserver Foundation has seen 45,000 internet-exposed Jenkins instances that appear to be affected by a recently disclosed critical vulnerability, and there are unconfirmed reports of exploitation in the wild. 

The developers of the open source CI/CD automation tool recently announced patches for CVE-2024-23897, a critical vulnerability that can allow attackers to read the content of files. Unauthenticated attackers can read limited data from files, while authenticated attackers could read the entire file.

Some files include Jenkins secrets that could enable the attacker to escalate privileges and potentially execute arbitrary code on the targeted server.

Code quality firm Sonar, which discovered the vulnerability, published technical details on January 24 and a proof-of-concept (PoC) exploit was made public a few days later.

Researcher Chaofan Shou, who works at blockchain security firm FuzzLand and is a PhD student at UC Berkeley, reported seeing in-the-wild exploitation on January 25, even before the PoC exploit was published. 

“We host hundreds of honeypots across the globe and we have sniffed connections conducting the CVE-2024-23897 attacks against Jenkins instances supporting anonymous access since 1/25. We have confirmed the in-the-wild exploitation and extracted the exploit from the attack,” the researcher told SecurityWeek.

“We observed attacks with different patterns from different sources. The first and most notable one attempted to first read Jenkins secret key files and ssh keys, then dump Jenkins credential files,” he added. 

No one else appears to have confirmed in-the-wild exploitation. Threat intelligence firm GreyNoise, which tracks vulnerability exploitation attempts, told SecurityWeek that it currently does not have any insights for CVE-2024-23897, but the company did recently see a ‘single ping’ targeting an old Jenkins vulnerability disclosed in 2015.

Advertisement. Scroll to continue reading.

Of the 45,000 internet-exposed instances seen by Shadowserver, a majority are located in the United States and China, with roughly 11,000 systems each, followed by Germany, India and France. 

Related: Vulnerabilities in WatchGuard, Panda Security Products Lead to Code Execution

Related: Cisco Patches Critical Vulnerability in Enterprise Collaboration Products

Related: PoC Code Published for Just-Disclosed Fortra GoAnywhere Vulnerability

Written By

Eduard Kovacs (@EduardKovacs) is a managing editor at SecurityWeek. He worked as a high school IT teacher for two years before starting a career in journalism as Softpedia’s security news reporter. Eduard holds a bachelor’s degree in industrial informatics and a master’s degree in computer techniques applied in electrical engineering.


Daily Briefing Newsletter

Subscribe to the SecurityWeek Email Briefing to stay informed on the latest threats, trends, and technology, along with insightful columns from industry experts.

Gain valuable insights from industry professionals who will help guide you through the intricacies of industrial cybersecurity.


Join us for an in depth exploration of the critical nature of software and vendor supply chain security issues with a focus on understanding how attacks against identity infrastructure come with major cascading effects.


Expert Insights

Related Content


Less than a week after announcing that it would suspended service indefinitely due to a conflict with an (at the time) unnamed security researcher...

Data Breaches

OpenAI has confirmed a ChatGPT data breach on the same day a security firm reported seeing the use of a component affected by an...

IoT Security

A group of seven security researchers have discovered numerous vulnerabilities in vehicles from 16 car makers, including bugs that allowed them to control car...


A researcher at IOActive discovered that home security systems from SimpliSafe are plagued by a vulnerability that allows tech savvy burglars to remotely disable...

Risk Management

The supply chain threat is directly linked to attack surface management, but the supply chain must be known and understood before it can be...


Patch Tuesday: Microsoft calls attention to a series of zero-day remote code execution attacks hitting its Office productivity suite.


Patch Tuesday: Microsoft warns vulnerability (CVE-2023-23397) could lead to exploitation before an email is viewed in the Preview Pane.


The latest Chrome update brings patches for eight vulnerabilities, including seven reported by external researchers.