A high-severity vulnerability has been discovered in the Jenkins Azure CLI Plugin, identified as CVE-2025-64140 with a CVSS score of 8.8. This flaw could allow an unauthenticated remote attacker to execute arbitrary code on the Jenkins server, potentially leading to a full compromise of the CI/CD pipeline, theft of sensitive credentials and source code, and unauthorized access to connected cloud environments. Organizations using the affected plugin are at significant risk of a software supply chain attack or major operational disruption.

This vulnerability exists within the Jenkins Azure CLI Plugin due to improper input sanitization of parameters passed to the Azure CLI. An unauthenticated remote attacker can craft a malicious request to a Jenkins job or API endpoint that utilizes the plugin. By injecting specific commands into the input fields, the attacker can achieve arbitrary command execution on the underlying operating system of the Jenkins controller or agent node where the build is executed, with the same privileges as the Jenkins user.

This vulnerability is rated as High severity with a CVSS score of 8.8. Successful exploitation would have a severe impact on the business, as Jenkins is a central component of the software development lifecycle. Potential consequences include the compromise of sensitive intellectual property such as source code, theft of credentials and API keys stored within Jenkins, and the ability for an attacker to inject malicious code into the organization's applications, leading to a supply chain compromise. Furthermore, an attacker could disrupt build and deployment pipelines, causing significant operational downtime and potentially using the compromised Jenkins server as a pivot point to attack other internal systems and cloud infrastructure.

Immediate Action: Apply the security updates released by Jenkins for the Azure CLI Plugin immediately across all vulnerable instances. Before applying the patch, review access and build logs for any suspicious or anomalous activity that could indicate a prior compromise. After patching, continue to monitor systems closely for any signs of post-patch exploitation attempts.

Proactive Monitoring: Organizations should actively monitor Jenkins audit logs, system process logs, and network traffic from Jenkins nodes. Look for unusual process executions spawned by the Jenkins service (e.g., sh, curl, powershell.exe), unexpected Azure CLI command invocations with malformed parameters, or outbound network connections to unknown or suspicious IP addresses.

Compensating Controls: If immediate patching is not feasible, consider the following mitigating actions:

• Temporarily disable the Azure CLI plugin on all Jenkins instances.
• Implement strict network segmentation to isolate Jenkins controllers and agents from other critical systems.
• Use a Web Application Firewall (WAF) to inspect and block requests containing common command injection patterns targeted at Jenkins.
• Restrict access to Jenkins, ensuring that no jobs can be triggered by unauthenticated users.

Public Exploit Available: false

Due to the high severity (CVSS 8.8) of this vulnerability and its potential to enable a full compromise of the software supply chain, we strongly recommend that organizations treat this as a critical priority. The risk of credential theft, data exfiltration, and malicious code injection is substantial. All affected Jenkins instances must be patched immediately. Although this CVE is not currently on the CISA KEV list, its high-impact nature makes it a prime candidate for future inclusion, and it should be remediated with the utmost urgency.