CVE-2025-32754
📋 TL;DR
This vulnerability allows network-based attackers to impersonate Jenkins SSH build agents by exploiting identical SSH host keys across all containers of the same image version. Attackers positioned between the Jenkins controller and SSH agent can perform man-in-the-middle attacks. All users running vulnerable jenkins/ssh-agent Docker images are affected.
💻 Affected Systems
- jenkins/ssh-agent Docker image
📦 What is this software?
Ssh Agent by Jenkins
⚠️ Risk & Real-World Impact
Worst Case
Complete compromise of Jenkins build pipelines through SSH man-in-the-middle attacks, allowing unauthorized code execution, credential theft, and injection of malicious artifacts into CI/CD processes.
Likely Case
Unauthorized access to build environments, potential credential harvesting, and manipulation of build artifacts leading to supply chain compromise.
If Mitigated
Limited impact if network segmentation prevents attacker positioning between controller and agents, or if SSH host key verification is strictly enforced.
🎯 Exploit Status
Exploitation requires network positioning between Jenkins controller and SSH agent, but the attack itself is straightforward once positioned.
🛠️ Fix & Mitigation
✅ Official Fix
Patch Version: 6.11.2 and later
Vendor Advisory: https://www.jenkins.io/security/advisory/2025-04-10/#SECURITY-3565
Restart Required: Yes
Instructions:
1. Update jenkins/ssh-agent Docker image to version 6.11.2 or later. 2. Rebuild and redeploy all containers using the vulnerable image. 3. Restart Jenkins controller and all SSH agents.
🔧 Temporary Workarounds
Regenerate SSH host keys at container startup
linuxAdd entrypoint script to regenerate unique SSH host keys when each container starts
docker run --rm jenkins/ssh-agent:6.11.1 sh -c 'rm -f /etc/ssh/ssh_host_* && dpkg-reconfigure openssh-server'
Use custom Dockerfile with key generation
linuxCreate custom Dockerfile that generates SSH host keys during container initialization
FROM jenkins/ssh-agent:6.11.1
RUN rm -f /etc/ssh/ssh_host_*
ENTRYPOINT ["sh", "-c", "dpkg-reconfigure openssh-server && exec /usr/local/bin/jenkins-agent"]
🧯 If You Can't Patch
- Implement strict network segmentation between Jenkins controller and SSH agents
- Enforce SSH host key verification and disable automatic acceptance of new keys
🔍 How to Verify
Check if Vulnerable:
Check Docker image version: docker images | grep jenkins/ssh-agentCheck Version:
docker inspect jenkins/ssh-agent:latest | grep -i versionVerify Fix Applied:
Verify SSH host keys differ between containers: docker exec <container> ssh-keygen -lf /etc/ssh/ssh_host_rsa_key.pub📡 Detection & Monitoring
Log Indicators:
- SSH connection warnings about changed host keys
- Unexpected SSH authentication failures
Network Indicators:
- Unusual SSH traffic patterns between Jenkins controller and agents
- Multiple containers with identical SSH host key fingerprints
SIEM Query:
source="jenkins" AND ("SSH host key" OR "HostKey" OR "man-in-the-middle")