CVE-2025-64140 — Jenkins Azure CLI Plugin does not restrict the commands it executes

Description

Jenkins Azure CLI Plugin 0.9 and earlier does not restrict which commands it executes on the Jenkins controller. This allows attackers with Item/Configure permission to execute arbitrary shell commands on the Jenkins controller. As of publication of this advisory, there is no fix.

How to fix CVE-2025-64140

No fixed version has been published yet. Mitigate by removing the affected package or applying upstream guidance from the references below.

—no fix listed

Is CVE-2025-64140 being exploited?

Low — EPSS is 0.0%, meaning exploitation activity has not been observed at scale.

Affected packages (1)

from 0, <= 0.9

CVSS scores

Source	Version	Severity	Vector
osv	CVSS 3.1	HIGH8.8	CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H

References (4)

ADVISORYnvd.nist.gov/vuln/detail/CVE-2025-64140
PATCHgithub.com/jenkinsci/azure-cli-plugin
WEBwww.jenkins.io/security/advisory/2025-10-29/#SECURITY-3538
WEBwww.openwall.com/lists/oss-security/2025/10/29/2