CVE-2025-53668 is a vulnerability identified in the Jenkins VAddy Plugin version 1.2.8 and earlier, where the plugin stores VAddy API authentication keys in plaintext within the job configuration files (config.xml) on the Jenkins controller. Jenkins is a widely used open-source automation server for continuous integration and continuous delivery (CI/CD). The VAddy Plugin integrates VAddy security scanning services into Jenkins pipelines. The vulnerability arises because the plugin fails to encrypt or otherwise protect the API keys, violating secure credential storage best practices (classified under CWE-311: Missing Encryption of Sensitive Data). As a result, any user with Item/Extended Read permissions within Jenkins or any actor with access to the Jenkins controller's file system can retrieve these API keys. These keys can then be used to access VAddy services, potentially allowing attackers to manipulate or retrieve sensitive security scan data or perform unauthorized actions via the VAddy API. The CVSS v3.1 base score is 6.5 (medium severity), reflecting network attack vector (AV:N), low attack complexity (AC:L), requiring privileges (PR:L), no user interaction (UI:N), unchanged scope (S:U), high confidentiality impact (C:H), and no impact on integrity or availability (I:N/A:N). No known exploits are currently reported in the wild, but the exposure of API keys represents a significant confidentiality risk. The vulnerability highlights the importance of secure secrets management in CI/CD environments, especially for plugins handling sensitive credentials.

For European organizations, the exposure of VAddy API keys can lead to unauthorized access to security scanning services integrated into their CI/CD pipelines. This could allow attackers to gather sensitive information about application security posture, manipulate scan results, or disrupt security workflows indirectly by undermining trust in scan data. Confidentiality breaches could extend to other linked systems if API keys are reused or provide broader access. Since Jenkins is widely adopted in European software development and DevOps environments, especially in countries with strong tech sectors like Germany, the UK, France, and the Netherlands, the risk is significant. Attackers gaining access to these keys could also use them as a foothold for further lateral movement within development infrastructure. Although the vulnerability does not directly impact system integrity or availability, the compromise of security tooling credentials can degrade overall security posture and increase risk of subsequent attacks.

European organizations should immediately audit Jenkins environments for the presence of the VAddy Plugin version 1.2.8 or earlier and identify any stored API keys in job config.xml files. Restrict Jenkins Item/Extended Read permissions strictly to trusted users and enforce the principle of least privilege. Limit file system access on Jenkins controllers to authorized personnel only. Where possible, rotate exposed VAddy API keys and update the plugin to a version that securely stores credentials or apply vendor-provided patches once available. Consider using Jenkins credentials plugins or external secrets management solutions (e.g., HashiCorp Vault, Azure Key Vault) to store API keys securely instead of embedding them in job configurations. Implement monitoring and alerting for unusual access patterns to Jenkins controllers and API usage. Regularly review and harden Jenkins security settings, including enabling audit logging and securing the Jenkins controller host.