CVE-2017-1000353

CRITICAL KEV NUCLEI

Jenkins < 2.56 and < 2.46.1 - Unauthenticated Remote Code Execution via Java Deserialization

Title source: llm

Exploitation Summary

CVE-2017-1000353 is actively exploited and listed in the CISA Known Exploited Vulnerabilities (KEV) catalog, added October 2, 2025. EIP tracks 7 public exploits from researchers including SecuriTeam, qazbnm456, vulhub, including a Metasploit module exploits/linux/http/jenkins_cli_deserialization. A Nuclei detection template is also available.

AI-analyzed exploit summary This exploit leverages a Java deserialization vulnerability in Jenkins (CVE-2017-1000353) by sending two HTTP requests to establish a bidirectional channel. The first request initiates the session, while the second delivers a serialized payload to achieve remote code execution (RCE).

Description

Jenkins versions 2.56 and earlier as well as 2.46.1 LTS and earlier are vulnerable to an unauthenticated remote code execution. An unauthenticated remote code execution vulnerability allowed attackers to transfer a serialized Java `SignedObject` object to the Jenkins CLI, that would be deserialized using a new `ObjectInputStream`, bypassing the existing blacklist-based protection mechanism. We're fixing this issue by adding `SignedObject` to the blacklist. We're also backporting the new HTTP CLI protocol from Jenkins 2.54 to LTS 2.46.2, and deprecating the remoting-based (i.e. Java serialization) CLI protocol, disabling it by default.

Exploits (7)

exploitdb WORKING POC

by SecuriTeam · textdosjava

https://www.exploit-db.com/exploits/41965

View Code ZIP pw:eip

This exploit leverages a Java deserialization vulnerability in Jenkins (CVE-2017-1000353) by sending two HTTP requests to establish a bidirectional channel. The first request initiates the session, while the second delivers a serialized payload to achieve remote code execution (RCE).

Classification

Working Poc 90%

Attack Type

Deserialization

Complexity

Moderate

Reliability

Reliable

Target: Jenkins (unspecified version, pre-mitigation)

No auth needed

Prerequisites: Ability to send HTTP requests to the target Jenkins instance · Java environment to generate the serialized payload

MITRE ATT&CK

T1189 - Drive-by Compromise T1505 - Server Software Component

devstral-2 · analyzed Feb 16, 2026 Full analysis →

github WRITEUP 3,480 stars

by qazbnm456 · poc

https://github.com/qazbnm456/awesome-cve-poc/tree/master/CVE-2017-1000353.md

View Code ZIP pw:eip

This repository provides references to external PoCs and advisories for CVE-2017-1000353, a Jenkins Java deserialization vulnerability leading to remote code execution. It includes links to functional exploits and technical details but does not contain direct exploit code.

Classification

Writeup 90%

Attack Type

Deserialization

Complexity

Moderate

Reliability

Reliable

Target: Jenkins

No auth needed

Prerequisites: Network access to vulnerable Jenkins instance

MITRE ATT&CK

T1190 - Exploit Public-Facing Application T1059 - Command and Scripting Interpreter

devstral-2 · analyzed Feb 27, 2026 Full analysis →

nomisec WORKING POC 56 stars

by vulhub · remote-auth

https://github.com/vulhub/CVE-2017-1000353

View Code ZIP pw:eip

This repository contains a functional exploit for CVE-2017-1000353, a deserialization vulnerability in Jenkins. The exploit leverages a crafted serialized payload to achieve remote code execution (RCE) by exploiting insecure deserialization in the Jenkins CLI interface.

Classification

Working Poc 95%

Attack Type

Deserialization

Complexity

Moderate

Reliability

Reliable

Target: Jenkins

No auth needed

Prerequisites: Access to Jenkins CLI interface · Java environment for payload generation

MITRE ATT&CK

T1189 - Drive-by Compromise T1059 - Command and Scripting Interpreter

devstral-2 · analyzed Feb 18, 2026 Full analysis →

github WRITEUP 14 stars

by xbl3 · poc

https://github.com/xbl3/awesome-cve-poc_qazbnm456/tree/master/CVE-2017-1000353.md

View Code ZIP pw:eip

This repository provides references to external PoCs and advisories for CVE-2017-1000353, a Jenkins Java deserialization vulnerability leading to remote code execution. It lacks direct exploit code but includes links to functional PoCs and detailed advisory information.

Classification

Writeup 80%

Attack Type

Deserialization

Complexity

Moderate

Reliability

Reliable

Target: Jenkins

No auth needed

Prerequisites: Network access to vulnerable Jenkins instance

MITRE ATT&CK

T1190 - Exploit Public-Facing Application T1059 - Command and Scripting Interpreter

devstral-2 · analyzed Feb 27, 2026 Full analysis →

nomisec SUSPICIOUS 3 stars

by r00t4dm · poc

https://github.com/r00t4dm/Jenkins-CVE-2017-1000353

View Code ZIP pw:eip

The repository contains no actual exploit code or technical details about CVE-2017-1000353. It only includes JavaScript bundle files and a minimal README with no meaningful content, suggesting it may be a placeholder or lure.

Classification

Suspicious 90%

Attack Type

Other

Complexity

Theoretical

Reliability

Theoretical

Target: Jenkins

No auth needed

devstral-2 · analyzed Feb 18, 2026 Full analysis →

nomisec SUSPICIOUS

by Jelc0Doesbruf · poc

https://github.com/Jelc0Doesbruf/CVE-2017-1000353

View Code ZIP pw:eip

The repository lacks functional exploit code for CVE-2017-1000353, instead containing placeholder files, generic documentation, and unrelated Docker configurations. No technical details or PoC code are present.

Classification

Suspicious 90%

Attack Type

Other

Complexity

N/a

Reliability

N/a

Target: N/A

No auth needed

devstral-2 · analyzed Feb 19, 2026 Full analysis →

metasploit WORKING POC EXCELLENT

by SSD, Unknown, Shelby Pace · rubypoclinux

https://github.com/rapid7/metasploit-framework/blob/master/modules/exploits/linux/http/jenkins_cli_deserialization.rb

View Code ZIP pw:eip

This Metasploit module exploits an unauthenticated Java deserialization vulnerability in Jenkins CLI (CVE-2017-1000353) to achieve remote code execution. It crafts a malicious serialized object and sends it to the target Jenkins instance via the CLI endpoint.

Classification

Working Poc 95%

Attack Type

Rce

Complexity

Moderate

Reliability

Reliable

Target: Jenkins versions v2.56 and below

No auth needed

Prerequisites: Network access to Jenkins CLI endpoint (typically port 8080) · Jenkins version <= 2.56

MITRE ATT&CK

T1189 - Drive-by Compromise T1505 - Server Software Component

devstral-2 · analyzed Feb 16, 2026 Full analysis →

Nuclei Templates (1)

Jenkins CLI - Java Deserialization

CRITICALby hnd3884

Shodan: cpe:"cpe:2.3:a:jenkins:jenkins" || http.favicon.hash:"81586312" || product:"jenkins" || x-jenkins

FOFA: icon_hash=81586312

References (6)

Core 6

Core References

Exploit, Third Party Advisory, VDB Entry exploit x_refsource_exploit-db

https://www.exploit-db.com/exploits/41965/

Broken Link vdb-entry x_refsource_bid

http://www.securityfocus.com/bid/98056

Patch, Third Party Advisory x_refsource_misc

https://www.oracle.com/security-alerts/cpuapr2022.html

Vendor Advisory x_refsource_confirm

https://jenkins.io/security/advisory/2017-04-26/

Permissions Required, Third Party Advisory, VDB Entry x_refsource_misc

http://packetstormsecurity.com/files/159266/Jenkins-2.56-CLI-Deserialization-Code-Execution.html

US Government Resource

https://www.cisa.gov/known-exploited-vulnerabilities-catalog?field_cve=CVE-2017-1000353

Scores

CVSS v3 9.8

EPSS 0.9448

EPSS Percentile 100.0%

Attack Vector NETWORK

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

CISA SSVC

Vulnrichment

Exploitation active

Automatable yes

Technical Impact total

Details

CISA KEV 2025-10-02

VulnCheck KEV 2018-07-07

InTheWild.io 2018-02-18

ENISA EUVD EUVD-2022-1921

CWE

CWE-502

Status published

Products (4)

jenkins/jenkins < 2.46.1

jenkins/jenkins < 2.56

oracle/communications_cloud_native_core_automated_test_suite 1.9.0

org.jenkins-ci.main/jenkins-core 2.50 - 2.57Maven

Published Jan 29, 2018

KEV Added Oct 02, 2025

Tracked Since Feb 18, 2026