CISA Known Exploited Vulnerability
This vulnerability is actively exploited in the wild and listed in the CISA Known Exploited Vulnerabilities catalog.
Remediation Deadline: Oct 23, 2025
Description
Jenkins contains a remote code execution vulnerability. This vulnerability that could allowed attackers to transfer a serialized Java SignedObject object to the remoting-based Jenkins CLI, that would be deserialized using a new ObjectInputStream, bypassing the existing blocklist-based protection mechanism.
CVSS Score
9.8/ 10
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:HEPSS — Exploit Probability
94.5%
Higher than 100.0% of all CVEs
Weakness Classification (CWE)
Known Exploits
POChttp://packetstormsecurity.com/files/159266/Jenkins-2.56-CLI-Deserialization-Code-Execution.htmlPermissions Requiredhttps://www.exploit-db.com/exploits/41965/Exploithttps://www.oracle.com/security-alerts/cpuapr2022.htmlPatchhttp://packetstormsecurity.com/files/159266/Jenkins-2.56-CLI-Deserialization-Code-Execution.htmlPermissions Requiredhttps://www.exploit-db.com/exploits/41965/Exploithttps://www.oracle.com/security-alerts/cpuapr2022.htmlPatch
Required Action
https://www.jenkins.io/security/advisory/2017-04-26/ ; https://nvd.nist.gov/vuln/detail/CVE-2017-1000353
Risk Assessment
CRITICALIn CISA KEV
Known exploit
Critical CVSS
High EPSS
Details
- Severity
- High
- CVSS
- 9.8
- EPSS
- 94.5%
- CWE
- CWE-502
- Exploit
- POC
- CISA KEV
- Yes
- Ransomware
- Unknown
- Articles
- 0
Timeline
Published
Oct 2, 2025
Added to KEV
Oct 2, 2025
Remediation Due
Oct 23, 2025