Unverified Jenkins remote code execution via plugin claim

The only concrete claim we could corroborate is a secondary page on CyberSec.au asserting that CVE-2025-1345 is a *Jenkins remote code execution via plugin* issue, published on 2025-09-15, affecting Jenkins and allegedly fixed by 2.426.2 LTS or 2.470 weekly. We did not find a matching Jenkins security advisory, Jenkins published issue, GitHub Advisory Database entry, or other primary vendor/CNA record that defines affected version ranges, root cause, exploitation path, or a real fix line.

In practice this is not a vulnerability-priority problem; it is an *intel-quality* problem. The secondary claim is internally weak and the version guidance is suspect: Jenkins' own 2024-01-24 advisory shows 2.426.2 was itself an affected version for CVE-2024-23897, making it a dubious 'fixed version' for a later, unrelated alleged RCE. Without a primary record, technical write-up, or stable version mapping, treating this as emergency patching would waste defender time.

Why this verdict

• No primary record: we found no verified Jenkins advisory, no Jenkins published issue match, and no GitHub Advisory Database match for CVE-2025-1345.
• Authenticated-only even in the secondary claim: the lone public description says attackers must already be authenticated, which is post-initial-access friction and a major downward pressure on severity.
• Patch story is internally inconsistent: the same secondary source names 2.426.2 LTS as fixed, while Jenkins' own 2024-01-24 advisory shows 2.426.2 was still vulnerable in a real core+CLI issue and fixed only in 2.426.3.

Why not higher?

A higher rating would require at least one of: a CNA/vendor advisory, reproducible exploit details, a trustworthy affected range, or active exploitation evidence. We have none of those. Scoring a ghost record as HIGH or CRITICAL is how teams burn change windows on rumor.

Why not lower?

We are not calling it nonexistent with absolute certainty because secondary references do exist and malformed/pre-publication records occasionally happen. The right response is to document the gap, suppress the ticket for now, and keep watching primary Jenkins/CVE channels.

1. Suppress the CVE in triage — Mark CVE-2025-1345 as unsubstantiated / no primary advisory in your VM platform and ticketing workflow. For an IGNORE verdict there is no patch deadline; document the rationale now and prevent churn from duplicate scanner tickets.
2. Monitor Jenkins primary channels — Subscribe to Jenkins security advisories and review the published issues feed for any later authoritative mention of this ID or an equivalent security issue. For an IGNORE verdict, this is a watch action rather than an emergency measure.
3. Maintain normal Jenkins hygiene — Keep Jenkins on supported releases and continue your routine hardening program, but do it under ordinary maintenance governance, not as a CVE-2025-1345 fire drill. This preserves effort for verified internet-reachable flaws.

Run this on the Jenkins controller host or on an auditor workstation with filesystem access to the Jenkins package/jenkins.war. Invoke it as bash verify-cve-2025-1345.sh /usr/share/java/jenkins.war or with no argument to let it probe common package locations. It needs only local read access; no root is required unless your package paths are restricted.

#!/usr/bin/env bash
# verify-cve-2025-1345.sh
# Purpose: Determine whether a host can be authoritatively classified for CVE-2025-1345.
# Because no trustworthy vendor/CNA advisory or affected version range was verified,
# this script reports UNKNOWN for Jenkins installations and prints the discovered version.
# Exit codes: 0=PATCHED, 1=VULNERABLE, 2=UNKNOWN, 3=usage/runtime error

set -u

TARGET="${1:-}"
VERSION=""
FOUND="0"

read_manifest_version() {
  local file="$1"
  if command -v unzip >/dev/null 2>&1; then
    unzip -p "$file" META-INF/MANIFEST.MF 2>/dev/null | awk -F': ' '/^Jenkins-Version:/{print $2; exit}' | tr -d '\r'
    return 0
  fi
  if command -v jar >/dev/null 2>&1; then
    local tmpdir
    tmpdir="$(mktemp -d)" || return 1
    (cd "$tmpdir" && jar xf "$file" META-INF/MANIFEST.MF >/dev/null 2>&1)
    awk -F': ' '/^Jenkins-Version:/{print $2; exit}' "$tmpdir/META-INF/MANIFEST.MF" 2>/dev/null | tr -d '\r'
    rm -rf "$tmpdir"
    return 0
  fi
  return 1
}

probe_paths() {
  local candidates=(
    "$TARGET"
    /usr/share/java/jenkins.war
    /usr/share/jenkins/jenkins.war
    /usr/lib/jenkins/jenkins.war
    /opt/jenkins/jenkins.war
  )

  for c in "${candidates[@]}"; do
    [ -n "$c" ] || continue
    if [ -f "$c" ]; then
      VERSION="$(read_manifest_version "$c")"
      if [ -n "$VERSION" ]; then
        FOUND="1"
        echo "Detected Jenkins WAR: $c"
        echo "Detected Jenkins version: $VERSION"
        return 0
      fi
    fi
  done

  if command -v jenkins >/dev/null 2>&1; then
    VERSION="$(jenkins --version 2>/dev/null | head -n1 | tr -d '\r')"
    if [ -n "$VERSION" ]; then
      FOUND="1"
      echo "Detected Jenkins CLI version: $VERSION"
      return 0
    fi
  fi

  return 1
}

if ! probe_paths; then
  echo "UNKNOWN - Jenkins version could not be determined from common paths or CLI."
  exit 2
fi

# Authoritative classification is impossible with current public evidence.
# Do NOT infer vulnerable/patched from secondary, conflicting claims.
echo "UNKNOWN - CVE-2025-1345 has no verified vendor/CNA advisory or trustworthy affected/fixed range in reviewed sources."
exit 2

Sources

1. CyberSec.au claim page for CVE-2025-1345
2. CyberSec.au CVE database entry showing the same Jenkins claim
3. Jenkins Security landing page
4. Jenkins published security issues archive
5. Jenkins Security Advisory 2025-03-05
6. Jenkins Security Advisory 2024-01-24
7. GitHub Advisory Database
8. CVE.org site search landing page