CVE-2025-53668 is a vulnerability identified in the Jenkins VAddy Plugin version 1.2.8 and earlier. The core issue is that the plugin stores VAddy API authentication keys unencrypted within the job configuration files (config.xml) on the Jenkins controller. These configuration files are accessible to users who have Item or Extended Read permissions within Jenkins or to anyone with access to the Jenkins controller's underlying file system. Because the API keys are stored in plaintext, unauthorized users with these access levels can retrieve sensitive credentials, potentially allowing them to interact with the VAddy API with the same privileges as the legitimate user. This exposure can lead to unauthorized actions such as manipulating scan configurations, retrieving sensitive scan results, or abusing the API for further attacks. The vulnerability does not require elevated Jenkins permissions beyond Item/Extended Read, which are commonly granted to many users in Jenkins environments, increasing the risk surface. Additionally, no patch or mitigation has been linked yet, and there are no known exploits in the wild at the time of publication. The vulnerability was published on July 9, 2025, and no CVSS score has been assigned, indicating that the severity assessment must be inferred from the technical details.

For European organizations, this vulnerability poses a significant risk, especially for those heavily reliant on Jenkins for continuous integration and continuous deployment (CI/CD) pipelines. The exposure of API keys can lead to unauthorized access to the VAddy scanning service, potentially allowing attackers to manipulate security scans or exfiltrate sensitive data related to application security assessments. This can undermine the integrity of the security posture and lead to undetected vulnerabilities in deployed software. Moreover, if attackers gain access to the Jenkins controller file system or have read permissions on jobs, they could escalate their access or move laterally within the development environment. Given the widespread use of Jenkins in European tech sectors, including finance, manufacturing, and government, the impact could be broad, affecting software supply chain security and compliance with regulations such as GDPR if sensitive data is exposed or manipulated. The lack of encryption for API keys also violates best practices for credential management, increasing the risk of credential theft and misuse.

European organizations should immediately audit their Jenkins environments to identify instances of the VAddy Plugin version 1.2.8 or earlier. Until an official patch is released, organizations should consider the following specific mitigations: 1) Restrict Item and Extended Read permissions strictly to trusted users only, minimizing the number of users who can view job configurations. 2) Limit access to the Jenkins controller file system to essential personnel and enforce strict OS-level access controls and monitoring. 3) Rotate any exposed VAddy API keys immediately and replace them with new keys stored securely using Jenkins credentials plugins or secret management tools that encrypt sensitive data. 4) Consider disabling or uninstalling the VAddy Plugin if it is not essential to operations. 5) Monitor Jenkins audit logs for unusual access patterns or attempts to read job configurations. 6) Implement network segmentation to isolate Jenkins controllers and reduce exposure. 7) Stay alert for official patches or updates from the Jenkins project and apply them promptly once available.