Join the Cyber Forum: Threat Intel on May 12, 2026 to learn how AI is reshaping threat defense.Join the Virtual Cyber Forum: Threat IntelRegister Now
Experiencing a Breach?Blog
Get StartedContact Us
SentinelOne
  • Platform
    Platform Overview
    • Singularity Platform
      Welcome to Integrated Enterprise Security
    • AI for Security
      Leading the Way in AI-Powered Security Solutions
    • Securing AI
      Accelerate AI Adoption with Secure AI Tools, Apps, and Agents.
    • How It Works
      The Singularity XDR Difference
    • Singularity Marketplace
      One-Click Integrations to Unlock the Power of XDR
    • Pricing & Packaging
      Comparisons and Guidance at a Glance
    Data & AI
    • Purple AI
      Accelerate SecOps with Generative AI
    • Singularity Hyperautomation
      Easily Automate Security Processes
    • AI-SIEM
      The AI SIEM for the Autonomous SOC
    • AI Data Pipelines
      Security Data Pipeline for AI SIEM and Data Optimization
    • Singularity Data Lake
      AI-Powered, Unified Data Lake
    • Singularity Data Lake for Log Analytics
      Seamlessly Ingest Data from On-Prem, Cloud or Hybrid Environments
    Endpoint Security
    • Singularity Endpoint
      Autonomous Prevention, Detection, and Response
    • Singularity XDR
      Native & Open Protection, Detection, and Response
    • Singularity RemoteOps Forensics
      Orchestrate Forensics at Scale
    • Singularity Threat Intelligence
      Comprehensive Adversary Intelligence
    • Singularity Vulnerability Management
      Application & OS Vulnerability Management
    • Singularity Identity
      Identity Threat Detection and Response
    Cloud Security
    • Singularity Cloud Security
      Block Attacks with an AI-Powered CNAPP
    • Singularity Cloud Native Security
      Secure Cloud and Development Resources
    • Singularity Cloud Workload Security
      Real-Time Cloud Workload Protection Platform
    • Singularity Cloud Data Security
      AI-Powered Threat Detection for Cloud Storage
    • Singularity Cloud Security Posture Management
      Detect and Remediate Cloud Misconfigurations
    Securing AI
    • Prompt Security
      Secure AI Tools Across Your Enterprise
  • Why SentinelOne?
    Why SentinelOne?
    • Why SentinelOne?
      Cybersecurity Built for What’s Next
    • Our Customers
      Trusted by the World’s Leading Enterprises
    • Industry Recognition
      Tested and Proven by the Experts
    • About Us
      The Industry Leader in Autonomous Cybersecurity
    Compare SentinelOne
    • Arctic Wolf
    • Broadcom
    • CrowdStrike
    • Cybereason
    • Microsoft
    • Palo Alto Networks
    • Sophos
    • Splunk
    • Trellix
    • Trend Micro
    • Wiz
    Verticals
    • Energy
    • Federal Government
    • Finance
    • Healthcare
    • Higher Education
    • K-12 Education
    • Manufacturing
    • Retail
    • State and Local Government
  • Services
    Managed Services
    • Managed Services Overview
      Wayfinder Threat Detection & Response
    • Threat Hunting
      World-Class Expertise and Threat Intelligence
    • Managed Detection & Response
      24/7/365 Expert MDR Across Your Entire Environment
    • Incident Readiness & Response
      DFIR, Breach Readiness, & Compromise Assessments
    Support, Deployment, & Health
    • Technical Account Management
      Customer Success with Personalized Service
    • SentinelOne GO
      Guided Onboarding & Deployment Advisory
    • SentinelOne University
      Live and On-Demand Training
    • Services Overview
      Comprehensive Solutions for Seamless Security Operations
    • SentinelOne Community
      Community Login
  • Partners
    Our Network
    • MSSP Partners
      Succeed Faster with SentinelOne
    • Singularity Marketplace
      Extend the Power of S1 Technology
    • Cyber Risk Partners
      Enlist Pro Response and Advisory Teams
    • Technology Alliances
      Integrated, Enterprise-Scale Solutions
    • SentinelOne for AWS
      Hosted in AWS Regions Around the World
    • Channel Partners
      Deliver the Right Solutions, Together
    • SentinelOne for Google Cloud
      Unified, Autonomous Security Giving Defenders the Advantage at Global Scale
    • Partner Locator
      Your Go-to Source for Our Top Partners in Your Region
    Partner Portal→
  • Resources
    Resource Center
    • Case Studies
    • Data Sheets
    • eBooks
    • Reports
    • Videos
    • Webinars
    • Whitepapers
    • Events
    View All Resources→
    Blog
    • Feature Spotlight
    • For CISO/CIO
    • From the Front Lines
    • Identity
    • Cloud
    • macOS
    • SentinelOne Blog
    Blog→
    Tech Resources
    • SentinelLABS
    • Ransomware Anthology
    • Cybersecurity 101
  • About
    About SentinelOne
    • About SentinelOne
      The Industry Leader in Cybersecurity
    • Investor Relations
      Financial Information & Events
    • SentinelLABS
      Threat Research for the Modern Threat Hunter
    • Careers
      The Latest Job Opportunities
    • Press & News
      Company Announcements
    • Cybersecurity Blog
      The Latest Cybersecurity Threats, News, & More
    • FAQ
      Get Answers to Our Most Frequently Asked Questions
    • DataSet
      The Live Data Platform
    • S Foundation
      Securing a Safer Future for All
    • S Ventures
      Investing in the Next Generation of Security, Data and AI
  • Pricing
Get StartedContact Us
CVE Vulnerability Database
Vulnerability Database/CVE-2025-32755

CVE-2025-32755: Jenkins Ssh-slave Auth Bypass Vulnerability

CVE-2025-32755 is an authentication bypass flaw in Jenkins Ssh-slave Docker images where identical SSH host keys enable man-in-the-middle attacks. This article covers technical details, affected versions, and mitigations.

Published: March 18, 2026

CVE-2025-32755 Overview

CVE-2025-32755 is a cryptographic vulnerability affecting Jenkins SSH-Slave Docker images based on Debian. The vulnerability arises from SSH host keys being generated during image creation rather than at container runtime, resulting in all containers based on the same image version sharing identical SSH host keys. This flaw enables network-positioned attackers to perform man-in-the-middle (MITM) attacks by impersonating SSH build agents to the Jenkins controller.

Critical Impact

Attackers who can position themselves in the network path between Jenkins controllers and SSH build agents can impersonate build agents, potentially compromising CI/CD pipeline integrity and accessing sensitive build artifacts and credentials.

Affected Products

  • Jenkins SSH-Slave Docker images (Debian-based)
  • Containers deployed using jenkins/ssh-slave Docker images
  • CI/CD environments utilizing Jenkins SSH build agents via Docker

Discovery Timeline

  • 2025-04-10 - CVE-2025-32755 published to NVD
  • 2025-05-02 - Last updated in NVD database

Technical Details for CVE-2025-32755

Vulnerability Analysis

This vulnerability is classified under CWE-338 (Use of Cryptographically Weak Pseudo-Random Number Generator), though the core issue relates to the timing of SSH host key generation in Docker image builds. When Docker images are built, the SSH host keys are generated once during the image creation process. These keys are then baked into the image layer and distributed to all containers instantiated from that image version.

The fundamental security assumption of SSH host keys is that each host has a unique key pair that identifies it to clients. This uniqueness is what allows clients to detect MITM attacks by comparing the presented host key against known keys. When multiple containers share identical host keys, this security guarantee is completely undermined.

Root Cause

The root cause is an insecure default configuration in the Jenkins SSH-Slave Docker image build process. The SSH server package installation or configuration step generates host keys at image build time rather than deferring key generation to container initialization. This means:

  1. The ssh-keygen commands that create /etc/ssh/ssh_host_* keys run during docker build
  2. These generated keys become part of the immutable image layers
  3. Every container started from the image inherits the same private and public key pairs
  4. No runtime mechanism exists to regenerate unique keys per container

Attack Vector

This vulnerability is exploitable over the network without requiring authentication or user interaction. An attacker must be able to intercept network traffic between the Jenkins controller (SSH client) and the SSH build agent container. This could be achieved through:

  1. Network-level attacks: ARP spoofing, DNS hijacking, or BGP hijacking to redirect traffic
  2. Compromised network infrastructure: Access to switches, routers, or network taps
  3. Cloud environment attacks: Exploitation of shared networking in cloud or container orchestration environments

Once positioned, the attacker can present the shared SSH host key (which is publicly available in the Docker image) to the Jenkins controller. Since the key matches what the controller expects, the attacker can successfully impersonate the build agent.

The attacker can then intercept build commands, inject malicious code into builds, exfiltrate build artifacts or credentials passed to the build agent, and manipulate build outputs before forwarding them to the actual agent.

Detection Methods for CVE-2025-32755

Indicators of Compromise

  • Unexpected SSH session reconnections or authentication failures in Jenkins controller logs
  • Network traffic anomalies between Jenkins controllers and build agents
  • SSH host key fingerprint mismatches detected by clients not yet trusting the compromised key
  • Unusual build behavior or artifacts that differ from expected outputs

Detection Strategies

  • Audit deployed Jenkins SSH-Slave containers for duplicate SSH host key fingerprints across instances
  • Implement network monitoring to detect ARP spoofing or other MITM positioning techniques
  • Review Jenkins controller SSH known_hosts entries for consistency with expected build agents
  • Deploy intrusion detection systems to monitor Jenkins-to-agent communication patterns

Monitoring Recommendations

  • Enable detailed SSH logging on both Jenkins controllers and build agent containers
  • Implement centralized log aggregation to correlate connection events across infrastructure
  • Set up alerts for SSH host key change events that may indicate ongoing exploitation
  • Monitor network flows for unexpected traffic patterns between CI/CD components

How to Mitigate CVE-2025-32755

Immediate Actions Required

  • Regenerate SSH host keys on all deployed Jenkins SSH-Slave containers immediately
  • Update container deployment scripts to generate fresh SSH host keys at container startup
  • Review Jenkins controller known_hosts files and remove or update stale entries
  • Consider network segmentation to limit exposure of build agent traffic

Patch Information

Jenkins has published a security advisory addressing this vulnerability. Refer to the Jenkins Security Advisory SECURITY-3565 for official guidance on patched image versions and remediation steps. Ensure you pull the latest patched Docker images from the official Jenkins repository.

Workarounds

  • Add a container entrypoint script that regenerates SSH host keys using ssh-keygen -A before starting the SSH daemon
  • Build custom images that remove existing host keys and include a startup script for key generation
  • Implement strict network controls and mutual TLS between Jenkins controllers and build agents
  • Consider alternative agent connectivity methods such as Jenkins JNLP agents that don't rely on SSH
bash
# Configuration example: Container entrypoint script to regenerate SSH host keys
#!/bin/bash
# Remove any existing host keys baked into the image
rm -f /etc/ssh/ssh_host_*

# Generate fresh unique host keys for this container instance
ssh-keygen -A

# Start SSH daemon
exec /usr/sbin/sshd -D

Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.

  • Vulnerability Details
  • TypeAuth Bypass
  • Vendor/TechJenkins
  • SeverityCRITICAL
  • CVSS Score9.1
  • EPSS Probability0.21%
  • Known ExploitedNo
  • CVSS Vector
  • CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:N
  • Impact Assessment
  • ConfidentialityLow
  • IntegrityNone
  • AvailabilityNone
  • CWE References
  • CWE-338
  • Vendor Resources
  • Jenkins Security Advisory SECURITY-3565
  • Related CVEs
  • CVE-2026-33002: Jenkins Auth Bypass Vulnerability
  • CVE-2025-64131: Jenkins SAML Auth Bypass Vulnerability
  • CVE-2025-47884: Jenkins OpenID Connect Auth Bypass Flaw
  • CVE-2025-47889: Jenkins WSO2 Oauth Auth Bypass Flaw
Default Legacy - Prefooter | Experience the World’s Most Advanced Cybersecurity Platform

Experience the World’s Most Advanced Cybersecurity Platform

See how our intelligent, autonomous cybersecurity platform can protect your organization now and into the future.

Try SentinelOne
  • Get Started
  • Get a Demo
  • Product Tour
  • Why SentinelOne
  • Pricing & Packaging
  • FAQ
  • Contact
  • Contact Us
  • Customer Support
  • SentinelOne Status
  • Language
  • Platform
  • Singularity Platform
  • Singularity Endpoint
  • Singularity Cloud
  • Singularity AI-SIEM
  • Singularity Identity
  • Singularity Marketplace
  • Purple AI
  • Services
  • Wayfinder TDR
  • SentinelOne GO
  • Technical Account Management
  • Support Services
  • Verticals
  • Energy
  • Federal Government
  • Finance
  • Healthcare
  • Higher Education
  • K-12 Education
  • Manufacturing
  • Retail
  • State and Local Government
  • Cybersecurity for SMB
  • Resources
  • Blog
  • Labs
  • Case Studies
  • Videos
  • Product Tours
  • Events
  • Cybersecurity 101
  • eBooks
  • Webinars
  • Whitepapers
  • Press
  • News
  • Ransomware Anthology
  • Company
  • About Us
  • Our Customers
  • Careers
  • Partners
  • Legal & Compliance
  • Security & Compliance
  • Investor Relations
  • S Foundation
  • S Ventures

©2026 SentinelOne, All Rights Reserved.

Privacy Notice Terms of Use

English