CVE-2025-64140 – The Jenkins Azure CLI Plugin vulnerability allo... (How to Fix)

Q: What is the severity of CVE-2025-64140?

CVE-2025-64140 has a CVSS score of 8.8 (HIGH). The Jenkins Azure CLI Plugin vulnerability allows attackers with Item/Configure permission to execute arbitrary shell commands on the Jenkins controller. This occurs because the plugin fails to restrict command execution, enabling remote code execution. Organizations using Jenkins with this plugin are affected.

📋 TL;DR

The Jenkins Azure CLI Plugin vulnerability allows attackers with Item/Configure permission to execute arbitrary shell commands on the Jenkins controller. This occurs because the plugin fails to restrict command execution, enabling remote code execution. Organizations using Jenkins with this plugin are affected.

💻 Affected Systems

Products:

Jenkins Azure CLI Plugin

Versions: 0.9 and earlier

Operating Systems: All platforms running Jenkins

Default Config Vulnerable: ⚠️ Yes

Notes: Requires Item/Configure permission; Jenkins instances with this plugin installed are vulnerable regardless of Azure integration status.

📦 What is this software?

Azure Cli by Jenkins

View all CVEs affecting Azure Cli →

⚠️ Risk & Real-World Impact

🔴

Worst Case

Full compromise of Jenkins controller leading to lateral movement, data exfiltration, and deployment of persistent backdoors across connected systems.

🟠

Likely Case

Attackers with Item/Configure permission gain shell access to Jenkins controller, potentially compromising build pipelines, stealing credentials, and accessing sensitive data.

🟢

If Mitigated

With proper access controls and network segmentation, impact limited to isolated Jenkins instance without lateral movement capabilities.

🌐 Internet-Facing: HIGH - Jenkins instances exposed to internet with vulnerable plugin can be exploited by authenticated attackers.

🏢 Internal Only: HIGH - Internal attackers or compromised accounts with Item/Configure permission can exploit this vulnerability.

🎯 Exploit Status

Public PoC: ✅ No

Weaponized: LIKELY

Unauthenticated Exploit: ✅ No

Complexity: LOW

Exploitation requires Item/Configure permission; trivial for authenticated attackers with appropriate privileges.

🛠️ Fix & Mitigation

✅ Official Fix

Patch Version: 0.10 or later

Vendor Advisory: https://www.jenkins.io/security/advisory/2025-10-29/#SECURITY-3538

Restart Required: Yes

Instructions:

1. Update Jenkins Azure CLI Plugin to version 0.10 or later via Jenkins Plugin Manager
2. Restart Jenkins instance
3. Verify plugin version in Manage Jenkins > Manage Plugins

🔧 Temporary Workarounds

Remove Azure CLI Plugin

all

Uninstall vulnerable plugin if Azure CLI functionality is not required

Manage Jenkins > Manage Plugins > Installed > Azure CLI Plugin > Uninstall

Restrict Item/Configure Permissions

all

Tighten access controls to limit users with Item/Configure permission

Manage Jenkins > Configure Global Security > Authorization > Restrict permissions

🧯 If You Can't Patch

Implement strict network segmentation to isolate Jenkins controller from sensitive systems
Enforce least privilege access controls and regularly audit users with Item/Configure permission

🔍 How to Verify

Check if Vulnerable:

Check plugin version in Manage Jenkins > Manage Plugins > Installed > Azure CLI Plugin

Check Version:

Check Jenkins web interface or plugin directory for azure-cli.jpi version

Verify Fix Applied:

Verify Azure CLI Plugin version is 0.10 or higher in plugin manager

📡 Detection & Monitoring

Log Indicators:

Unusual Azure CLI plugin activity
Shell command execution from Jenkins processes
Unauthorized process creation on Jenkins host

Network Indicators:

Unexpected outbound connections from Jenkins controller
Command and control traffic patterns

SIEM Query:

source="jenkins.log" AND ("Azure CLI" OR "azure-cli") AND (command OR exec OR shell)

📊 Metadata

CVE ID: CVE-2025-64140

CVSS v3 Score: 8.8 (HIGH)

CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H

CWE: CWE-78

EPSS Score: 0.1% exploit probability (26.8th percentile)

Published: October 29, 2025

Last Updated: December 22, 2025

🔗 References

https://www.jenkins.io/security/advisory/2025-10-29/#SECURITY-3538 Vendor Advisory
http://www.openwall.com/lists/oss-security/2025/10/29/2 Mailing List,Third Party Advisory

📤 Share & Export

📄 Export Markdown 📋 Export JSON

🔗 Related Vulnerabilities

If you're affected by CVE-2025-64140, you might also want to check these: