CVE-2017-1000353
published 2018-01-29CVE-2017-1000353: Jenkins versions 2.56 and earlier as well as 2.46.1 LTS and earlier are vulnerable to an unauthenticated remote code execution. An unauthenticated remote code…
PriorityP199critical9.8CVSS 3.1
AVNACLPRNUINSUCHIHAH
KEVITWEXPLOIT
CISA Known Exploited Vulnerabilitydue 2025-10-23
Exploited in the wild
EPSS
99.69%
99.9th percentile
Jenkins versions 2.56 and earlier as well as 2.46.1 LTS and earlier are vulnerable to an unauthenticated remote code execution. An unauthenticated remote code execution vulnerability allowed attackers to transfer a serialized Java `SignedObject` object to the Jenkins CLI, that would be deserialized using a new `ObjectInputStream`, bypassing the existing blacklist-based protection mechanism. We're fixing this issue by adding `SignedObject` to the blacklist. We're also backporting the new HTTP CLI protocol from Jenkins 2.54 to LTS 2.46.2, and deprecating the remoting-based (i.e. Java serialization) CLI protocol, disabling it by default.
Affected
5 ranges
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| jenkins | jenkins | <= 2.56 | — |
| jenkins | jenkins | <= 2.46.1 | — |
| jenkins | jenkins_core | — | — |
| jenkins | jenkins_lts | — | — |
| oracle | communications_cloud_native_core_automated_test_suite | — | — |
Detection & IOCsextracted from sources · hover to see the quote
bytes↗
rO0ABXNyABpodWRzb24ucmVtb3RpbmcuQ2FwYWJpbGl0eQAAAAAAAAABAgABSgAEbWFza3hwAAAAAAAAAH4=
- →The exploit preamble begins with the base64-encoded serialized hudson.remoting.Capability object. Detect this specific base64 blob or its decoded bytes in HTTP POST bodies to /cli. ↗
- →In-the-wild exploitation injects PowerShell via the deserialization payload to download and execute a miner. Hunt for PowerShell process spawned as a child of Jenkins with '-WindowStyle Hidden' and DownloadFile calls. ↗
- →Shodan/FOFA queries for exposed Jenkins instances: use favicon hash 81586312 or the 'x-jenkins' HTTP response header to identify targets. ↗
- ·The vulnerability only affects the remoting-based (Java serialization) CLI protocol. Jenkins instances where this protocol is disabled (default in versions after 2.54/2.46.2) are not exploitable via this vector. ↗
- ·The bypass works by wrapping a malicious serialized object inside a java.security.SignedObject, which causes deserialization via a fresh ObjectInputStream that does not consult the existing blacklist. ↗
- ·The fix adds SignedObject to the remoting blocklist and backports the HTTP-based CLI protocol to LTS 2.46.2. Users should also explicitly disable the remoting-based CLI after upgrading. ↗
CVSS provenance
nvdv3.19.8CRITICALCVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
nvdv2.07.5HIGHAV:N/AC:L/Au:N/C:P/I:P/A:P
vulncheck9.8CRITICAL
cisa9.8CRITICAL
vendor_oracle9.8CRITICAL
vendor_redhat9.8CRITICAL
CVEs like this are exactly what “Exploited This Week” covers.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
GHSA
Deserialization of Untrusted Data in Jenkins
ghsa·2022-05-13
CVE-2017-1000353 [CRITICAL] CWE-502 Deserialization of Untrusted Data in Jenkins
Deserialization of Untrusted Data in Jenkins
Jenkins versions 2.56 and earlier as well as 2.46.1 LTS and earlier are vulnerable to an unauthenticated remote code execution. An unauthenticated remote code execution vulnerability allowed attackers to transfer a serialized Java `SignedObject` object to the Jenkins CLI, that would be deserialized using a new `ObjectInputStream`, bypassing the existing blacklist-based protection mechanism. We're fixing this issue by adding `SignedObject` to the blacklist. We're also backporting the new HTTP CLI protocol from Jenkins 2.54 to LTS 2.46.2, and deprecating the remoting-based (i.e. Java serialization) CLI protocol, disabling it by default.
OSV
Deserialization of Untrusted Data in Jenkins
osv·2022-05-13
CVE-2017-1000353 [CRITICAL] Deserialization of Untrusted Data in Jenkins
Deserialization of Untrusted Data in Jenkins
Jenkins versions 2.56 and earlier as well as 2.46.1 LTS and earlier are vulnerable to an unauthenticated remote code execution. An unauthenticated remote code execution vulnerability allowed attackers to transfer a serialized Java `SignedObject` object to the Jenkins CLI, that would be deserialized using a new `ObjectInputStream`, bypassing the existing blacklist-based protection mechanism. We're fixing this issue by adding `SignedObject` to the blacklist. We're also backporting the new HTTP CLI protocol from Jenkins 2.54 to LTS 2.46.2, and deprecating the remoting-based (i.e. Java serialization) CLI protocol, disabling it by default.
VulnCheck
Jenkins Remote Code Execution Vulnerability
vulncheck·2017·CVSS 9.8
CVE-2017-1000353 [CRITICAL] Jenkins Remote Code Execution Vulnerability
Jenkins Remote Code Execution Vulnerability
Jenkins contains a remote code execution vulnerability. This vulnerability that could allowed attackers to transfer a serialized Java SignedObject object to the remoting-based Jenkins CLI, that would be deserialized using a new ObjectInputStream, bypassing the existing blocklist-based protection mechanism.
Affected: Jenkins Jenkins
Required Action: Apply mitigations per vendor instructions, follow applicable BOD 22-01 guidance for cloud services, or discontinue use of the product if mitigations are unavailable.
Exploitation References: https://www.f5.com/labs/articles/threat-intelligence/new-jenkins-campaign-hides-malware--kills-competing-crypto-miner; https://blog.talosintelligence.com/2018/12/cryptomining-campaigns-2018.html; https://www.ci
CISA
Jenkins Remote Code Execution Vulnerability
cisa·2025-10-02·CVSS 9.8
CVE-2017-1000353 [CRITICAL] Jenkins Remote Code Execution Vulnerability
Vulnerability: Jenkins Remote Code Execution Vulnerability
Affected: Jenkins Jenkins
Jenkins contains a remote code execution vulnerability. This vulnerability that could allowed attackers to transfer a serialized Java SignedObject object to the remoting-based Jenkins CLI, that would be deserialized using a new ObjectInputStream, bypassing the existing blocklist-based protection mechanism.
Required Action: Apply mitigations per vendor instructions, follow applicable BOD 22-01 guidance for cloud services, or discontinue use of the product if mitigations are unavailable.
Notes: https://www.jenkins.io/security/advisory/2017-04-26/ ; https://nvd.nist.gov/vuln/detail/CVE-2017-1000353
Remediation Due Date: 2025-10-23
Oracle
Oracle Oracle Communications Risk Matrix: Automated Test Suite (Jenkins) — CVE-2017-1000353
vendor_oracle·2022-04-15·CVSS 9.8
CVE-2017-1000353 [CRITICAL] Oracle Oracle Communications Risk Matrix: Automated Test Suite (Jenkins) — CVE-2017-1000353
Oracle Oracle Communications Risk Matrix: Automated Test Suite (Jenkins) vulnerability
CVE: CVE-2017-1000353
CVSS: 9.8
Protocol: HTTP
Remote exploit: Yes
Affected versions: Network
Advisory: cpuapr2022 (APR 2022)
Jenkins
Jenkins Security Advisory 2017-04-26
vendor_jenkins·2017-04-26·CVSS 8.8
CVE-2017-1000353 [HIGH] Jenkins Security Advisory 2017-04-26
Title: Jenkins Security Advisory 2017-04-26
Jenkins Security Advisory 2017-04-26
This advisory announces multiple vulnerabilities in Jenkins.
Description
CSRF: Multiple vulnerabilities
SECURITY-412 through SECURITY-420 / CVE-2017-1000356
Multiple Cross-Site Request Forgery vulnerabilities in Jenkins allowed malicious users to perform several administrative actions by tricking a victim into opening a web page.
The most notable ones:
SECURITY-412: Restart Jenkins immediately, after all builds are finished, or after all plugin installations and builds are finished
SECURITY-412: Schedule a downgrade of Jenkins to a previously installed version if Jenkins previously upgraded itself
SECURITY-413: Install and (optionally) dynamically
Red Hat
jenkins: Unauthenticated remote code execution (SECURITY-429)
vendor_redhat·2017-04-26·CVSS 9.8
CVE-2017-1000353 [CRITICAL] CWE-502 jenkins: Unauthenticated remote code execution (SECURITY-429)
jenkins: Unauthenticated remote code execution (SECURITY-429)
Jenkins versions 2.56 and earlier as well as 2.46.1 LTS and earlier are vulnerable to an unauthenticated remote code execution. An unauthenticated remote code execution vulnerability allowed attackers to transfer a serialized Java `SignedObject` object to the Jenkins CLI, that would be deserialized using a new `ObjectInputStream`, bypassing the existing blacklist-based protection mechanism. We're fixing this issue by adding `SignedObject` to the blacklist. We're also backporting the new HTTP CLI protocol from Jenkins 2.54 to LTS 2.46.2, and deprecating the remoting-based (i.e. Java serialization) CLI protocol, disabling it by default.
Package: jenkins (Red Hat OpenShift Enterprise 2) - Will not fix
Package: jenkins (Red Hat O
Suricata
ET WEB_SPECIFIC_APPS Possible Jenkins CLI RCE (CVE-2017-1000353)
suricata·2018-02-21·CVSS 9.8
CVE-2017-1000353 [CRITICAL] ET WEB_SPECIFIC_APPS Possible Jenkins CLI RCE (CVE-2017-1000353)
ET WEB_SPECIFIC_APPS Possible Jenkins CLI RCE (CVE-2017-1000353)
Rule: alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET WEB_SPECIFIC_APPS Possible Jenkins CLI RCE (CVE-2017-1000353)"; flow:established,to_server; http.method; content:"POST"; nocase; http.uri; content:"/cli"; startswith; http.header; header_lowercase; content:"side|3a 20|upload"; http.request_body; content:"JENKINS REMOTING CAPACITY]===>rO0ABXNyABpodWRzb24ucmVtb3RpbmcuQ2FwYWJ"; fast_pattern; reference:url,blogs.securiteam.com/index.php/archives/3171; reference:cve,2017-1000353; reference:url,research.checkpoint.com/jenkins-miner-one-biggest-mining-operations-ever-discovered/; classtype:attempted-user; sid:2025376; rev:6; metadata:created_at 2018_02_21, cve CVE_2017_100035, confidence Medium, signature_severity Major,
Exploit-DB
CloudBees Jenkins 2.32.1 - Java Deserialization
exploitdb·2017-05-05
CVE-2017-1000353 CloudBees Jenkins 2.32.1 - Java Deserialization
CloudBees Jenkins 2.32.1 - Java Deserialization
---
Source: https://blogs.securiteam.com/index.php/archives/3171
Vulnerability Details
Jenkins is vulnerable to a Java deserialization vulnerability. In order to trigger the vulnerability two requests need to be sent.
The vulnerability can be found in the implementation of a bidirectional communication channel (over HTTP) which accepts commands.
The first request starts a session for the bi-directional channel and is used for “downloading” data from the server. The HTTP header “Session” is the identifier for the channel. The HTTP header “Side” specifies the “downloading/uploading” direction.
The second request is the sending component of the bidirectional channel. The first requests is blocked until the second request is sent. The requ
Nuclei
Jenkins CLI - Java Deserialization
nuclei·CVSS 9.8
CVE-2017-1000353 [CRITICAL] Jenkins CLI - Java Deserialization
Jenkins CLI - Java Deserialization
Jenkins versions 2.56 and earlier as well as 2.46.1 LTS and earlier are vulnerable to an unauthenticated remote code execution. An unauthenticated remote code execution vulnerability allowed attackers to transfer a serialized Java `SignedObject` object to the Jenkins CLI, that would be deserialized using a new `ObjectInputStream`, bypassing the existing blacklist-based protection mechanism. We're fixing this issue by adding `SignedObject` to the blacklist. We're also backporting the new HTTP CLI protocol from Jenkins 2.54 to LTS 2.46.2, and deprecating the remoting-based (i.e. Java serialization) CLI protocol, disabling it by default.
Template:
id: CVE-2017-1000353
info:
name: Jenkins CLI - Java Deserialization
author: hnd3884
severity: critical
descr
Metasploit
Jenkins CLI Deserialization
metasploit
Jenkins CLI Deserialization
Jenkins CLI Deserialization
An unauthenticated Java object deserialization vulnerability exists in the CLI component for Jenkins versions `v2.56` and below. The `readFrom` method within the `Command` class in the Jenkins CLI remoting component deserializes objects received from clients without first checking / sanitizing the data. Because of this, a malicious serialized object contained within a serialized `SignedObject` can be sent to the Jenkins endpoint to achieve code execution on the target.
Checkpoint
Jenkins Miner: One of the Biggest Mining Operations Ever Discovered
blogs_checkpoint·2018-02-15·CVSS 9.8
CVE-2017-1000353 [CRITICAL] Jenkins Miner: One of the Biggest Mining Operations Ever Discovered
Latest Publications
CPR Podcast Channel
AI Research
Web 3.0 Security
Intelligence Reports
ThreatCloud AI
Threat Intelligence & Research
Zero Day Protection
Sandblast File Analysis
About Us
SUBSCRIBE
AI Research 2
Android Malware 23
Artificial Intelligence 4
ChatGPT 3
Check Point Research Publications 455
Cloud Security 1
CPRadio 44
Crypto 2
Data & Threat Intelligence 2
Data Analysis 0
Demos 22
Global Cyber Attack Reports 408
How To Guides 13
Ransomware 5
Russo-Ukrainian War 1
Security Report 1
Threat and data analysis 0
Threat Research 174
Web 3.0 Security 11
Wipers 0
## Jenkins Miner: One of the Biggest Mining Operations Ever Discovered
The Check Point research team has discovered what could potentially become one of the biggest malicious mining operation
Greynoiseio
NoiseLetter January 2025
blogs_greynoiseio
NoiseLetter January 2025
CVE Disclosure Early Warning Get an early warning when traffic spikes indicate a high likelihood of new disclosures
Compromised Asset Detection Find out immediately if an asset communicates with a malicious IP address
Vulnerability Prioritization Get real-time insight into active exploitation trends to better understand risk and severity
SOC Efficiency Filter out noisy, low priority and false-positive alerts from mass internet scanners
Incident Investigation Add context to incidents to speed the determinations of scope and timelines
Threat Hunting Quickly identify anomalous behavior and enrich your threat hunting campaigns
Why GreyNoise
CVE Disclosure Early Warning Get an early warning when traffic spikes indicate a high likelihood of new disclosures
Compromised Asset Detection Fin
Recorded Future
October 2025 CVE Landscape
blogs_recorded_future·CVSS 9.8
[CRITICAL] October 2025 CVE Landscape
# October 2025 CVE Landscape: 32 High-Impact Vulnerabilities Demand Immediate Attention
October 2025 saw a significant escalation in vulnerability activity, with Recorded Future's Insikt Group® identifying 32 high-impact vulnerabilities, double the 16 identified in September's CVE report. Twenty-six of these vulnerabilities scored as Very Critical.
What security teams need to know:
- Microsoft dominates: Eight of 32 vulnerabilities affect Microsoft products, including a critical WSUS deserialization flaw (CVE-2025-59287) now being actively exploited
- CL0P ransomware group exploited an Oracle E-Business Suite zero-day (CVE-2025-61882) for data theft and extortion campaigns
- Legacy vulnerabilities persist: Five of the 14 RCE-enabling vulnerabilities are over a decade old, highlighting c
Bugzilla
CVE-2017-1000353 CVE-2017-1000354 CVE-2017-1000355 CVE-2017-1000356 jenkins: various flaws [fedora-all]
bugzilla·2017-04-27·CVSS 9.8
CVE-2017-1000353 [CRITICAL] CVE-2017-1000353 CVE-2017-1000354 CVE-2017-1000355 CVE-2017-1000356 jenkins: various flaws [fedora-all]
CVE-2017-1000353 CVE-2017-1000354 CVE-2017-1000355 CVE-2017-1000356 jenkins: various flaws [fedora-all]
This is an automatically created tracking bug! It was created to ensure
that one or more security vulnerabilities are fixed in affected versions
of fedora-all.
For comments that are specific to the vulnerability please use bugs filed
against the "Security Response" product referenced in the "Blocks" field.
For more information see:
http://fedoraproject.org/wiki/Security/TrackingBugs
When submitting as an update, use the fedpkg template provided in the next
comment(s). This will include the bug IDs of this tracking bug as well as
the relevant top-level CVE bugs.
Please also mention the CVE IDs being fixed in the RPM changelog and the
fedpkg commit message.
NOTE: this issue affects m
Bugzilla
CVE-2017-1000353 jenkins: Unauthenticated remote code execution (SECURITY-429)
bugzilla·2017-04-27·CVSS 9.8
CVE-2017-1000353 [CRITICAL] CVE-2017-1000353 jenkins: Unauthenticated remote code execution (SECURITY-429)
CVE-2017-1000353 jenkins: Unauthenticated remote code execution (SECURITY-429)
An unauthenticated remote code execution vulnerability allowed attackers to transfer a serialized Java SignedObject object to the remoting-based Jenkins CLI, that would be deserialized using a new ObjectInputStream, bypassing the existing blacklist-based protection mechanism.
SignedObject has been added to the remoting blacklist.
In Jenkins 2.54, the remoting-based CLI protocol was deprecated and a new, HTTP based protocol introduced as the new default, in addition to the existing SSH-based CLI. This feature has been backported to Jenkins 2.46.2. It is strongly recommended that users upgrading Jenkins disable the remoting-based CLI, and use the one of the other modes (HTTP or SSH) instead.
Affected versions:
http://packetstormsecurity.com/files/159266/Jenkins-2.56-CLI-Deserialization-Code-Execution.htmlhttp://www.securityfocus.com/bid/98056https://jenkins.io/security/advisory/2017-04-26/https://www.exploit-db.com/exploits/41965/https://www.oracle.com/security-alerts/cpuapr2022.htmlhttp://packetstormsecurity.com/files/159266/Jenkins-2.56-CLI-Deserialization-Code-Execution.htmlhttp://www.securityfocus.com/bid/98056https://jenkins.io/security/advisory/2017-04-26/https://www.exploit-db.com/exploits/41965/https://www.oracle.com/security-alerts/cpuapr2022.htmlhttps://www.cisa.gov/known-exploited-vulnerabilities-catalog?field_cve=CVE-2017-1000353
2018-01-29
Published
2025-10-02
Added to CISA KEV
Exploited in the wild