CVE-2025-32754CRITICAL 9.1EPSS p32.7%

CVE-2025-32754CVE-2025-32754

Description

In jenkins/ssh-agent Docker images 6.11.1 and earlier, SSH host keys are generated on image creation for images based on Debian, causing all containers based on images of the same version use the same SSH host keys, allowing attackers able to insert themselves into the network path between the SSH client (typically the Jenkins controller) and SSH build agent to impersonate the latter.

Scoring

CVSS 3.19.1 (CRITICAL)
VectorCVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:N
EPSS0.41% probability of exploitation · percentile 32.7% · 2026-06-18T12:00:27Z
Published2025-04-10
Last modified2025-05-02

Underlying weaknesses· 1

CWE-338

References

  1. https://www.jenkins.io/security/advisory/2025-04-10/#SECURITY-3565

1

TypeTargetConfidenceTier
WeaknessUse of Cryptographically Weak Pseudo-Random Number Generator (PRNG)cwe-3380%live

Related by meaning· 6

Nearest entities by semantic similarity across the cs-graph corpus.

CVE
CVE-2025-32755
CVE
CVE-2026-33001
CVE
CVE-2025-47884
CVE
CVE-2025-32111
CVE
CVE-2026-53442
CVE
CVE-2025-53652
Sourced from NVD + FIRST.org EPSS. Curated for EU compliance use cases by Adam Lundqvist, Founder at SQUR.