CVE-2025-53664 is a vulnerability identified in the Jenkins Apica Loadtest Plugin versions 1.10 and earlier, where Apica Loadtest LTP authentication tokens are stored unencrypted within the job configuration files (config.xml) on the Jenkins controller. Jenkins is a widely used open-source automation server for continuous integration and continuous delivery (CI/CD). The plugin in question integrates Apica Loadtest functionalities into Jenkins jobs. The vulnerability arises because these sensitive authentication tokens are stored in plaintext, making them accessible to any user who has Item/Extended Read permissions within Jenkins or to anyone with direct access to the Jenkins controller's file system. This exposure can lead to unauthorized disclosure of credentials, which could be leveraged to access Apica Loadtest services or escalate further within the environment. The vulnerability requires at least some level of authenticated access (Item/Extended Read permission) but does not require user interaction, making it easier to exploit once access is gained. The CVSS v3.1 base score is 6.5, reflecting a medium severity level with a vector indicating network attack vector, low attack complexity, privileges required, no user interaction, unchanged scope, high confidentiality impact, and no impact on integrity or availability. No patches or fixes are currently linked, and no known exploits have been reported in the wild as of the publication date. The underlying weakness corresponds to CWE-256 (Plaintext Storage of a Password). This vulnerability highlights the importance of secure credential storage practices within CI/CD tools and plugins, as exposure of tokens can compromise downstream systems and services integrated with Jenkins.

For European organizations, this vulnerability poses a significant risk to the confidentiality of authentication tokens used within Jenkins CI/CD pipelines. Unauthorized access to these tokens could allow attackers to impersonate legitimate users or services, potentially leading to unauthorized access to Apica Loadtest services or other integrated systems. This could result in data leakage, unauthorized test executions, or manipulation of load testing results, which might affect application performance assessments and decision-making. Although the vulnerability does not directly impact system integrity or availability, the exposure of credentials can be a stepping stone for further attacks within the network. Organizations with large-scale software development and testing operations relying on Jenkins and Apica Loadtest are particularly vulnerable. The risk is heightened in environments where Jenkins controllers are shared or where access controls are not strictly enforced. Additionally, the lack of encryption for stored tokens violates best practices and regulatory requirements around sensitive data protection, which could have compliance implications under GDPR and other European data protection laws.

To mitigate this vulnerability, European organizations should immediately review and tighten access controls on Jenkins controllers, ensuring that only trusted users have Item/Extended Read permissions. Restrict file system access to the Jenkins controller to authorized personnel only. Organizations should monitor and audit access logs for unusual activity related to Jenkins job configurations. Until an official patch or update is released, consider removing or disabling the Apica Loadtest Plugin if it is not essential. If the plugin is required, investigate alternative secure methods to store authentication tokens, such as using Jenkins credentials plugins that encrypt secrets or external secret management solutions. Regularly update Jenkins and its plugins to the latest versions once patches become available. Additionally, implement network segmentation to limit exposure of Jenkins controllers and enforce multi-factor authentication (MFA) for Jenkins user accounts to reduce the risk of unauthorized access. Finally, educate development and operations teams about the risks of storing sensitive information in plaintext within CI/CD configurations.