A critical deserialization vulnerability in Jenkins is now being actively exploited by threat actors, with honeypot telemetry confirming live attack attempts as of the early hours of June 15, 2026.
The flaw, tracked as CVE-2026-53435, carries a CVSS v3 score of 9.0 (Critical) and enables full remote code execution on unpatched Jenkins controllers. CVE-2026-53435 affects Jenkins 2.567 and earlier, as well as Jenkins LTS 2.555.2 and earlier.
Critical Jenkins RCE Vulnerability Exploited
The flaw resides in how Jenkins processes config.xml submissions specifically, it permits an attacker to force the Jenkins controller to deserialize arbitrary types defined in Jenkins core or installed plugins via an attacker-controlled config.xml POST request.
Once deserialization is triggered, the attacker can intercept and manipulate HTTP request handling, effectively hijacking server-side execution flow. A successful exploit grants threat actors a wide range of capabilities:
- User impersonation across any Jenkins account
- Unauthorized HTTP requests executed on behalf of any user
- Access to the Jenkins Script Console for arbitrary code execution
- Direct file read access on the Jenkins controller, including sensitive system files
The vulnerability’s CVSS vector AV:N/AC:L/Au:S/C:C/I:C/A:C reflects network-exploitable, low-complexity conditions requiring only single authentication a low bar for motivated attackers.
Threat intelligence honeypots began logging exploitation attempts within hours of the vulnerability’s public disclosure on June 10, 2026.
By the morning of June 15, inbound attack traffic was captured originating from IP 194.247.182.44, attributed to AS57043 HOSTKEY B.V., a Netherlands-based hosting provider frequently abused by threat actors.
The captured HTTP request reveals a classic path traversal and credential-harvesting attempt:
GET /view/rqdtumqy/properties/0/etc/passwd HTTP/1.1
Authorization: Basic YWRtaW46YWRtaW4=
Cookie: JSESSIONID.58767308=node5vm5NUG4mpx6qmNV67cnVlIr2_uQ7xn0.node0The Authorization header decodes to the default credential pair admin:admin, indicating automated scanners are probing Jenkins deployments using factory credentials before attempting to read /etc/passwd a standard reconnaissance step ahead of deeper compromise.
The attack targeted port 443, likely to blend with legitimate HTTPS traffic and evade network-layer detection.
Patch and Mitigation
Jenkins has released fixed versions addressing CVE-2026-53435:
- Jenkins Weekly: Upgrade to 2.568 or later
- Jenkins LTS: Upgrade to 2.555.3 or later
For organizations where an immediate upgrade is not feasible, the following mitigations should be applied without delay:
- Restrict network access to the Jenkins controller, especially the
/job/*/config.xmlAPI endpoint - Disable anonymous access and enforce strong, unique credentials
- Audit Script Console access logs for unauthorized activity
- Block traffic from AS57043 HOSTKEY B.V. and the attacker IP 194.247.182.44
The same June 10 advisory also patches two related open-redirect flaws CVE-2026-53436 and CVE-2026-53437 though neither reaches the critical severity of CVE-2026-53435.
With a public proof-of-concept already circulating days after the initial disclosure, the exploitation window is wide open. Jenkins remains one of the most widely deployed CI/CD platforms globally, making unpatched instances a high-value target for ransomware operators and APT groups alike.
Organizations running vulnerable versions should treat this as a zero-day-level priority and patch immediately.
No Comment! Be the first one.