CVE-2024-23897: Jenkins Vulnerability Now a Known Exploitation Target

The U.S. Cybersecurity and Infrastructure Security Agency (CISA) has added a critical Jenkins vulnerability to its Known Exploited Vulnerabilities (KEV) catalog after it was leveraged in ransomware attacks.

The vulnerability, identified as CVE-2024-23897 with a CVSS score of 9.8, affects the Jenkins command-line interface and constitutes a path traversal issue that can lead to arbitrary code execution. The problem was first discovered by security researchers at Sonar in January 2024 and was addressed in Jenkins versions 2.442 and LTS 2.426.3 by disabling the command parser feature.

In March, Trend Micro reported several attacks exploiting this vulnerability originating from the Netherlands, Singapore, and Germany. The investigation also revealed that remote code execution exploits using this vulnerability were being actively distributed among cybercriminals.

In recent weeks, CloudSEK and Juniper Networks have published research findings indicating that CVE-2024-23897 is being actively used in attacks against companies BORN Group and Brontoo Technology Solutions. According to researchers, these attacks are attributed to the cybercriminal entities IntelBroker and RansomExx, both of which specialize in ransomware.

CloudSEK further clarified that CVE-2024-23897 is a Local File Inclusion (LFI) vulnerability, which allows attackers to read arbitrary files on the Jenkins server. This vulnerability arises from insufficient input validation, enabling attackers to manipulate specific parameters and force the server to access sensitive files.

Given the active exploitation of this vulnerability, U.S. federal agencies have been directed to apply updates and secure their networks against potential threats by September 9, 2024.