Jenkins - Authorization Bypass (CVE-2025-59474)
98Exploiting IPs reported
Jenkins 2.527 and earlier, LTS 2.516.2 and earlier does not perform a permission check in the sidepanel of a page intentionally accessible to users lacking Overall/Read permission, allowing attackers without Overall/Read permission to list agent names through its sidepanel executors widget.
CrowdSec analysis
CVE-2025-59474 is a vulnerability in Jenkins that allows attackers without Overall/Read permission to enumerate agent names via the sidepanel executors widget. This information disclosure flaw could aid threat actors in reconnaissance efforts, potentially facilitating further targeted attacks against Jenkins environments.
CrowdSec has been tracking this vulnerability and its exploits since 15th of October 2025.
Data from the CrowdSec community indicates that exploitation of CVE-2025-59474 is highly selective and intelligence-driven. Threat actors use advanced reconnaissance and carefully choose their targets, often as part of sophisticated campaigns or advanced persistent threat operations. Additionally, according to week-over-week analysis by CrowdSec, exploitation of CVE-2025-59474 is surging. Attack volumes are spiking well above historical norms, indicating widespread and escalating interest from threat actors. CVE-2025-59474 is currently experiencing high visibility and active exploitation across the internet.
Attackers probe Jenkins endpoints such as /securityRealm/signup and /jenkins/securityRealm/signup to access the sidepanel and enumerate agent names via the "Build Executor Status" widget, even without Overall/Read permissions.
Exploitation
Get real-time information about exploitation attempts and actors involved.
Protection
Find out relevant information to protect your stack against this CVE.
Blocklist
With our advanced worldwide network detection, CrowdSec can provide a list of IPs known for exploiting the vulnerability.
To increase your protection against this CVE, block exploitation attempts with this list of identified actors.