CVE-2018-1000861

CRITICAL KEV RANSOMWARE NUCLEI

Jenkins < 2.138.3 and < 2.153 - Remote Code Execution via Stapler Framework URL Invocation

Title source: llm

Exploitation Summary

CVE-2018-1000861 is actively exploited and listed in the CISA Known Exploited Vulnerabilities (KEV) catalog, added February 10, 2022, with confirmed use in ransomware campaigns. EIP tracks 3 public exploits from researchers including 1NTheKut, smokeintheshell, Orange Tsai, Mikhail Egorov, George Noseevich, wvu, including a Metasploit module exploits/multi/http/jenkins_metaprogramming. A Nuclei detection template is also available.

AI-analyzed exploit summary This repository contains a .NET Core-based exploit detection tool for chaining CVE-2018-1000861 (ACL bypass) with CVE-2019-1003000 (RCE) in Jenkins CI. It demonstrates unauthenticated remote code execution by sending a crafted GET request to download and execute a malicious JAR file.

Description

A code execution vulnerability exists in the Stapler web framework used by Jenkins 2.153 and earlier, LTS 2.138.3 and earlier in stapler/core/src/main/java/org/kohsuke/stapler/MetaClass.java that allows attackers to invoke some methods on Java objects by accessing crafted URLs that were not intended to be invoked this way.

Exploits (3)

nomisec WORKING POC 4 stars

by 1NTheKut · remote

https://github.com/1NTheKut/CVE-2019-1003000_RCE-DETECTION

View Code ZIP pw:eip

This repository contains a .NET Core-based exploit detection tool for chaining CVE-2018-1000861 (ACL bypass) with CVE-2019-1003000 (RCE) in Jenkins CI. It demonstrates unauthenticated remote code execution by sending a crafted GET request to download and execute a malicious JAR file.

Classification

Working Poc 90%

Attack Type

Rce

Complexity

Moderate

Reliability

Reliable

Target: Jenkins CI (version 2.121 with specific plugins)

No auth needed

Prerequisites: Vulnerable Jenkins instance (2.121) with specific plugins · Network access to target · .NET Core framework

MITRE ATT&CK

T1189 - Drive-by Compromise T1190 - Exploit Public-Facing Application

devstral-2 · analyzed Feb 16, 2026 Full analysis →

nomisec WORKING POC

by smokeintheshell · remote

https://github.com/smokeintheshell/CVE-2018-1000861

View Code ZIP pw:eip

This is a Python 3 script that exploits CVE-2018-1000861, an unauthenticated RCE vulnerability in Jenkins. It injects a command into a Java class via a crafted HTTP request to the Jenkins Script Security Plugin endpoint.

Classification

Working Poc 90%

Attack Type

Rce

Complexity

Trivial

Reliability

Reliable

Target: Jenkins with Script Security Plugin

No auth needed

Prerequisites: Target Jenkins server with vulnerable Script Security Plugin · Network access to the Jenkins server

MITRE ATT&CK

T1190 - Exploit Public-Facing Application T1059 - Command and Scripting Interpreter

devstral-2 · analyzed Feb 16, 2026 Full analysis →

metasploit WORKING POC EXCELLENT

by Orange Tsai, Mikhail Egorov, George Noseevich, wvu · rubypocunix

https://github.com/rapid7/metasploit-framework/blob/master/modules/exploits/multi/http/jenkins_metaprogramming.rb

View Code ZIP pw:eip

This Metasploit module exploits CVE-2018-1000861 in Jenkins by bypassing ACLs via dynamic routing and leveraging Groovy metaprogramming for RCE. It supports two targets: Unix in-memory execution and Java dropper payloads.

Classification

Working Poc 100%

Attack Type

Rce

Complexity

Moderate

Reliability

Reliable

Target: Jenkins <= 2.137 with Pipeline: Groovy Plugin 2.61

No auth needed

Prerequisites: Jenkins instance with vulnerable version · Network access to target

MITRE ATT&CK

T1190 - Exploit Public-Facing Application T1059 - Command and Scripting Interpreter T1203 - Exploitation for Client Execution

devstral-2 · analyzed Apr 30, 2026 Full analysis →

Nuclei Templates (1)

Jenkins - Remote Command Injection

CRITICALby dhiyaneshDK,pikpikcu

Shodan: http.favicon.hash:81586312 || cpe:"cpe:2.3:a:jenkins:jenkins" || product:"jenkins"

FOFA: icon_hash=81586312

References (5)

Core 5

Core References

US Government Resource

https://www.cisa.gov/known-exploited-vulnerabilities-catalog?field_cve=CVE-2018-1000861

Vendor Advisory x_refsource_confirm

https://jenkins.io/security/advisory/2018-12-05/#SECURITY-595

Third Party Advisory vendor-advisory x_refsource_redhat

https://access.redhat.com/errata/RHBA-2019:0024

Broken Link vdb-entry x_refsource_bid

http://www.securityfocus.com/bid/106176

Third Party Advisory, VDB Entry x_refsource_misc

http://packetstormsecurity.com/files/166778/Jenkins-Remote-Code-Execution.html

Scores

CVSS v3 9.8

EPSS 0.9833

EPSS Percentile 99.9%

Attack Vector NETWORK

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

CISA SSVC

Vulnrichment

Exploitation active

Automatable yes

Technical Impact total

Details

CISA KEV 2022-02-10

VulnCheck KEV 2020-06-24

InTheWild.io 2019-05-07

ENISA EUVD EUVD-2022-4161

Ransomware Use Confirmed

CWE

CWE-502

Status published

Products (4)

jenkins/jenkins < 2.138.3

jenkins/jenkins < 2.153

org.jenkins-ci.main/jenkins-core 0 - 2.138.4Maven

redhat/openshift_container_platform 3.11

Published Dec 10, 2018

KEV Added Feb 10, 2022

Tracked Since Feb 18, 2026