CVE-2016-9299

CRITICAL EXPLOITED NUCLEI

Jenkins < 2.32 and LTS < 2.19.3 - Remote Code Execution via LDAP Query Injection

Title source: llm

Exploitation Summary

CVE-2016-9299 has been observed exploited in the wild (reported by VulnCheck KEV). EIP tracks 3 public exploits from researchers including Metasploit, r00t4dm, Matthias Kaiser, Alisa Esage, Ivan, YSOSerial, including a Metasploit module exploits/linux/misc/jenkins_ldap_deserialize. A Nuclei detection template is also available.

AI-analyzed exploit summary This Metasploit module exploits CVE-2016-9299, a Java deserialization vulnerability in Jenkins, allowing unauthenticated remote code execution via crafted HTTP requests. It uses YSOSerial payloads for exploitation.

Description

The remoting module in Jenkins before 2.32 and LTS before 2.19.3 allows remote attackers to execute arbitrary code via a crafted serialized Java object, which triggers an LDAP query to a third-party server.

Exploits (3)

exploitdb WORKING POC VERIFIED

by Metasploit · rubyremotelinux

https://www.exploit-db.com/exploits/44642

View Code ZIP pw:eip

This Metasploit module exploits CVE-2016-9299, a Java deserialization vulnerability in Jenkins, allowing unauthenticated remote code execution via crafted HTTP requests. It uses YSOSerial payloads for exploitation.

Classification

Working Poc 95%

Attack Type

Rce

Complexity

Moderate

Reliability

Reliable

Target: Jenkins 2.31

No auth needed

Prerequisites: Network access to Jenkins CLI port (default 8080) · Jenkins version vulnerable to CVE-2016-9299

MITRE ATT&CK

T1189 - Drive-by Compromise T1213 - Data from Information Repositories

devstral-2 · analyzed Feb 16, 2026 Full analysis →

nomisec SUSPICIOUS

by r00t4dm · poc

https://github.com/r00t4dm/Jenkins-CVE-2016-9299

View Code ZIP pw:eip

The repository contains no actual exploit code for CVE-2016-9299, only JavaScript bundles and scripts unrelated to the vulnerability. The README is empty, and there is no technical analysis or PoC provided.

Classification

Suspicious 90%

Attack Type

Other

Complexity

Theoretical

Reliability

Theoretical

Target: Jenkins

No auth needed

devstral-2 · analyzed Feb 18, 2026 Full analysis →

metasploit WORKING POC EXCELLENT

by Matthias Kaiser, Alisa Esage, Ivan, YSOSerial · rubypoc

https://github.com/rapid7/metasploit-framework/blob/master/modules/exploits/linux/misc/jenkins_ldap_deserialize.rb

View Code ZIP pw:eip

This Metasploit module exploits a Java deserialization vulnerability in Jenkins (CVE-2016-9299) to achieve remote code execution. It uses a crafted LDAP server to deliver a malicious serialized payload, bypassing authentication.

Classification

Working Poc 95%

Attack Type

Rce

Complexity

Moderate

Reliability

Reliable

Target: Jenkins 2.31

No auth needed

Prerequisites: Network access to Jenkins CLI port (8080) · LDAP server setup for payload delivery

MITRE ATT&CK