Critical Jenkins Deserialization Vulnerability Under Active Exploitation A severe deserialization flaw in Jenkins, tracked as CVE-2026-53435, is being actively exploited by threat actors following its public disclosure on June 10, 2026. The vulnerability affects Jenkins 2.567 and earlier and Jenkins LTS 2.555.2 and earlier, allowing attackers to manipulate HTTP request handling and hijack server execution flow via malicious config.xml submissions. Exploitation enables arbitrary code execution (RCE), user impersonation, unauthorized HTTP requests, access to the Jenkins Script Console, and sensitive file reads including system credentials. With a CVSS score of 9.0, the flaw is classified as Critical. Honeypot telemetry detected attack attempts within hours of disclosure, with active exploitation confirmed by June 15, 2026. Attack traffic originated from IP 194.247.182.44, linked to AS57043 (HOSTKEY B.V.), a Netherlands-based hosting provider frequently abused by threat actors. The observed attack targeted port 443, blending with legitimate HTTPS traffic, and included a path traversal attempt to read /etc/passwd using default credentials (admin:admin). Jenkins has released patches: - Jenkins Weekly: Upgrade to 2.568 or later - Jenkins LTS: Upgrade to 2.555.3 or later Temporary mitigations include restricting access to the /job//config.xml endpoint, disabling anonymous access, and enforcing strong credentials. The advisory also addresses two lower-severity open-redirect flaws (CVE-2026-53436 and CVE-2026-53437*), though neither matches the criticality of CVE-2026-53435. A public proof-of-concept has accelerated exploitation, widening the attack window.

New DDoS Botnet Targets Valve Source Engine Game Servers via Exposed Jenkins Instances Security researchers at Darktrace uncovered a sophisticated DDoS botnet exploiting misconfigured Jenkins servers to launch attacks against Valve Source Engine game infrastructure, including Counter-Strike and Team Fortress 2 servers. The malware, first detected on March 18, 2026, via Darktrace’s CloudyPots honeypot network, stands out for its cross-platform capabilities and precise targeting of the gaming sector a growing focus for cybercriminals, which Cloudflare ranks as the fourth most attacked industry globally. The attack begins with threat actors scanning for Jenkins instances with weak or default credentials, leveraging an exposed remote code execution (RCE) endpoint to deploy malicious payloads. Once inside, the malware delivers Windows and Linux variants: on Windows, it downloads a disguised system update file, while on Linux, it executes a Bash script to fetch and run a payload from the /tmp directory. Both use a Vietnamese-hosted IP (103[.]177.110.202) for command-and-control (C2) and payload delivery an unusual consolidation that reduces operational resilience. The botnet employs multiple DDoS techniques, including UDP floods, TCP push attacks, and HTTP request floods, with a particularly effective method called "attack_dayz." This tactic exploits Valve Source Engine’s query protocol, sending small requests that trigger disproportionately large responses, overwhelming servers with minimal attacker bandwidth. The malware also ensures persistence by: - Manipulating Jenkins environment variables ("dontKillMe") to evade process timeouts. - Renaming itself to mimic legitimate Linux kernel processes ("ksoftirqd/0" or "kworker"). - Using double forking and redirecting logs to /dev/null to avoid detection. - Ignoring termination signals (SIGTERM) to resist manual shutdowns. Once active, the malware connects to the C2 server, reporting system details and awaiting attack commands. It supports three utility functions: PING (keep-alive), !stop (termination), and !update (self-updating). Darktrace recommends blocking TCP port 5444 (used for C2 communication) and the identified attacker IP at the network perimeter, alongside securing Jenkins instances with strong authentication and restricting public access.

A critical cross-site scripting (XSS) vulnerability in the popular Jenkins Gatling Plugin allows attackers to bypass Content-Security-Policy (CSP) protections. The vulnerability, tracked as CVE-2025-5806, affects Gatling Plugin version 136.vb_9009b_3d33a_e and poses significant risks to Jenkins environments utilizing this performance testing integration tool. The exploitation of this vulnerability requires users with the ability to modify Gatling report content, which typically includes developers, QA engineers, and system administrators with appropriate Jenkins permissions. Once exploited, attackers can execute arbitrary JavaScript code within the context of the Jenkins application, potentially leading to session hijacking, credential theft, or unauthorized administrative actions. The high CVSS severity rating assigned to this vulnerability reflects its potential for significant impact on Jenkins’ infrastructure.

A critical command injection vulnerability (CVE-2025-53652) in the Jenkins Git Parameter plugin has been exposed by VulnCheck. Initially rated as medium, the flaw allows remote code execution (RCE), enabling hackers to take control of unauthenticated Jenkins servers. Around 15,000 servers are at risk due to disabled security settings. The vulnerability permits attackers to inject malicious commands, potentially accessing sensitive data like master keys. Despite a patch being released, administrators can manually disable it, leaving systems exposed. VulnCheck warns that while widespread exploitation is unlikely, skilled attackers may use it for targeted attacks or deeper network infiltration.