Jenkins: Critical Jenkins RCE Vulnerability Under Active Exploitation in the Wild

Critical Jenkins Deserialization Vulnerability Under Active Exploitation

A severe deserialization flaw in Jenkins, tracked as CVE-2026-53435, is being actively exploited by threat actors following its public disclosure on June 10, 2026. The vulnerability affects Jenkins 2.567 and earlier and Jenkins LTS 2.555.2 and earlier, allowing attackers to manipulate HTTP request handling and hijack server execution flow via malicious config.xml submissions.

Exploitation enables arbitrary code execution (RCE), user impersonation, unauthorized HTTP requests, access to the Jenkins Script Console, and sensitive file reads including system credentials. With a CVSS score of 9.0, the flaw is classified as Critical.

Honeypot telemetry detected attack attempts within hours of disclosure, with active exploitation confirmed by June 15, 2026. Attack traffic originated from IP 194.247.182.44, linked to AS57043 (HOSTKEY B.V.), a Netherlands-based hosting provider frequently abused by threat actors. The observed attack targeted port 443, blending with legitimate HTTPS traffic, and included a path traversal attempt to read /etc/passwd using default credentials (admin:admin).

Jenkins has released patches:

Jenkins Weekly: Upgrade to 2.568 or later
Jenkins LTS: Upgrade to 2.555.3 or later

Temporary mitigations include restricting access to the /job//config.xml* endpoint, disabling anonymous access, and enforcing strong credentials. The advisory also addresses two lower-severity open-redirect flaws (CVE-2026-53436 and CVE-2026-53437), though neither matches the criticality of CVE-2026-53435. A public proof-of-concept has accelerated exploitation, widening the attack window.

Source: https://cyberpress.org/jenkins-rce-vulnerability/

Jenkins TPRM report: https://www.rankiteo.com/company/jenkinsio

"id": "jen1781526230",
"linkid": "jenkinsio",
"type": "Vulnerability",
"date": "6/2026",
"severity": "100",
"impact": "5",
"explanation": "Attack threatening the organization's existence"

{'affected_entities': [{'customers_affected': 'Users of Jenkins 2.567 and '
                                              'earlier, Jenkins LTS 2.555.2 '
                                              'and earlier',
                        'industry': 'Technology/DevOps',
                        'location': 'Global',
                        'name': 'Jenkins',
                        'type': 'Software Provider'}],
 'attack_vector': 'HTTP request manipulation via malicious config.xml '
                  'submissions',
 'data_breach': {'file_types_exposed': ['config.xml', '/etc/passwd'],
                 'sensitivity_of_data': 'High',
                 'type_of_data_compromised': 'System credentials, sensitive '
                                             'files, Jenkins configuration '
                                             'data'},
 'date_detected': '2026-06-15',
 'date_publicly_disclosed': '2026-06-10',
 'description': 'A severe deserialization flaw in Jenkins, tracked as '
                'CVE-2026-53435, is being actively exploited by threat actors '
                'following its public disclosure on June 10, 2026. The '
                'vulnerability affects Jenkins 2.567 and earlier and Jenkins '
                'LTS 2.555.2 and earlier, allowing attackers to manipulate '
                'HTTP request handling and hijack server execution flow via '
                'malicious config.xml submissions. Exploitation enables '
                'arbitrary code execution (RCE), user impersonation, '
                'unauthorized HTTP requests, access to the Jenkins Script '
                'Console, and sensitive file reads including system '
                'credentials.',
 'impact': {'data_compromised': 'System credentials, sensitive files (e.g., '
                                '/etc/passwd), Jenkins Script Console access',
            'operational_impact': 'Arbitrary code execution, unauthorized '
                                  'access, potential system compromise',
            'systems_affected': 'Jenkins servers (2.567 and earlier, LTS '
                                '2.555.2 and earlier)'},
 'investigation_status': 'Ongoing',
 'post_incident_analysis': {'corrective_actions': 'Patch management, access '
                                                  'controls, credential '
                                                  'hardening',
                            'root_causes': 'Deserialization flaw in Jenkins '
                                           'HTTP request handling'},
 'recommendations': 'Upgrade Jenkins to patched versions, restrict access to '
                    'vulnerable endpoints, disable anonymous access, enforce '
                    'strong credentials, monitor for exploitation attempts.',
 'references': [{'source': 'Jenkins Security Advisory'},
                {'source': 'Honeypot Telemetry'}],
 'response': {'containment_measures': 'Restrict access to /job/*/config.xml '
                                      'endpoint, disable anonymous access, '
                                      'enforce strong credentials',
              'remediation_measures': 'Upgrade to Jenkins Weekly 2.568 or '
                                      'later, Jenkins LTS 2.555.3 or later'},
 'title': 'Critical Jenkins Deserialization Vulnerability Under Active '
          'Exploitation (CVE-2026-53435)',
 'type': 'Deserialization Vulnerability',
 'vulnerability_exploited': 'CVE-2026-53435'}

Jenkins: Critical Jenkins RCE Vulnerability Under Active Exploitation in the Wild

Elasticsearch and Leak-Lookup: 24 billion stolen records found in giant data dump. Check if you’re affected

npm and Mastra AI: Hackers Compromise 140+ Mastra npm Packages to Steal Credentials

California Water Service: Athena coalition, Estonia's quarantine, Arch hit with malware