CVE-2025-53654 is a security vulnerability identified in the Jenkins Statistics Gatherer Plugin version 2.0.3 and earlier. This plugin is used within Jenkins, a widely adopted open-source automation server commonly employed for continuous integration and continuous delivery (CI/CD) pipelines. The vulnerability arises because the plugin stores the AWS Secret Key in plaintext within the global configuration file on the Jenkins controller. This file is accessible to any user who has file system access to the Jenkins controller machine. Since the AWS Secret Key is a highly sensitive credential that grants programmatic access to AWS resources, its exposure can lead to unauthorized access and control over cloud infrastructure. The vulnerability does not require user interaction or authentication beyond file system access, meaning that any compromise or insider with access to the Jenkins controller file system can extract these credentials. No CVSS score has been assigned yet, and there are no known exploits in the wild at the time of publication. The lack of encryption or secure storage mechanisms for AWS credentials in this plugin highlights a critical security design flaw that could be exploited to escalate privileges and compromise cloud environments integrated with Jenkins.

For European organizations, this vulnerability poses a significant risk, especially for those heavily reliant on Jenkins for their DevOps workflows and AWS for cloud infrastructure. Exposure of AWS Secret Keys can lead to unauthorized access to sensitive data, disruption of services, and potential financial losses due to misuse of cloud resources. Given the GDPR and other stringent data protection regulations in Europe, a breach resulting from this vulnerability could also lead to regulatory penalties and reputational damage. Organizations using this plugin in multi-tenant or shared environments face increased risk, as attackers or malicious insiders with file system access could harvest AWS credentials and pivot to further attacks. The impact extends beyond confidentiality to integrity and availability, as attackers could manipulate cloud resources, deploy malicious workloads, or disrupt critical services. The absence of known exploits currently provides a window for mitigation, but the ease of exploitation once file system access is obtained makes this vulnerability a high priority for remediation.

European organizations should immediately audit their Jenkins environments to identify installations of the Statistics Gatherer Plugin version 2.0.3 or earlier. They should upgrade to the latest patched version once available or remove the plugin if it is not essential. Until a patch is released, restrict file system access to the Jenkins controller to the minimum necessary personnel and processes, employing strict access controls and monitoring. Organizations should rotate any AWS credentials stored in Jenkins that may have been exposed and consider using more secure credential management solutions such as Jenkins credentials plugin with encrypted storage or external secrets managers (e.g., HashiCorp Vault, AWS Secrets Manager). Implementing role-based access control (RBAC) within Jenkins and enforcing the principle of least privilege for users and services can reduce the risk. Additionally, continuous monitoring and alerting for unusual AWS API activity can help detect potential misuse of compromised credentials. Regular security assessments of CI/CD pipelines and secrets management practices are recommended to prevent similar vulnerabilities.