CVE-2025-53672
📋 TL;DR
The Jenkins Kryptowire Plugin stores API keys unencrypted in configuration files, allowing attackers with file system access to steal sensitive credentials. This affects all Jenkins instances using Kryptowire Plugin 0.2 or earlier. Users with access to the Jenkins controller file system can view these credentials.
💻 Affected Systems
- Jenkins Kryptowire Plugin
📦 What is this software?
Kryptowire by Jenkins
⚠️ Risk & Real-World Impact
Worst Case
Attackers gain access to Kryptowire API keys, potentially compromising the entire Kryptowire security scanning infrastructure and enabling further attacks against the organization's mobile applications.
Likely Case
Malicious insiders or compromised accounts with file system access steal API keys, leading to unauthorized use of Kryptowire services and potential data exfiltration.
If Mitigated
With proper file system access controls, only authorized administrators can access the configuration files, limiting exposure to trusted personnel.
🎯 Exploit Status
Exploitation requires file system access to the Jenkins controller, which typically requires some level of authentication or system compromise.
🛠️ Fix & Mitigation
✅ Official Fix
Patch Version: 0.3 or later
Vendor Advisory: https://www.jenkins.io/security/advisory/2025-07-09/#SECURITY-3525
Restart Required: Yes
Instructions:
1. Update Jenkins Kryptowire Plugin to version 0.3 or later via Jenkins Plugin Manager. 2. Restart Jenkins to apply changes. 3. Regenerate Kryptowire API keys as a precaution.
🔧 Temporary Workarounds
Restrict File System Access
linuxLimit access to Jenkins controller file system to only authorized administrators.
chmod 600 /var/lib/jenkins/config.xml
chown jenkins:jenkins /var/lib/jenkins/config.xml
Remove Plugin
allUninstall the Kryptowire Plugin if not required.
java -jar jenkins-cli.jar -s http://localhost:8080/ delete-plugin kryptowire
🧯 If You Can't Patch
- Implement strict file system access controls to limit who can read Jenkins configuration files.
- Rotate Kryptowire API keys immediately and monitor for unauthorized usage.
🔍 How to Verify
Check if Vulnerable:
Check Jenkins plugin manager for Kryptowire Plugin version. If version is 0.2 or earlier, the system is vulnerable.Check Version:
grep -i kryptowire /var/lib/jenkins/plugins/kryptowire/META-INF/MANIFEST.MF | grep Plugin-VersionVerify Fix Applied:
Verify plugin version is 0.3 or later in Jenkins plugin manager and check that API keys are no longer stored in plaintext in configuration files.📡 Detection & Monitoring
Log Indicators:
- Unauthorized file access attempts to Jenkins configuration files
- Failed authentication attempts to Jenkins controller
Network Indicators:
- Unusual API calls to Kryptowire services from unexpected locations
SIEM Query:
source="jenkins.log" AND ("config.xml" OR "kryptowire") AND ("access denied" OR "unauthorized")