Massive Exploitation of TeamCity Auth Bypass Vulnerability Leads to Creation of Admin Accounts

March 7, 2024

Hackers have begun to exploit a critical-severity authentication bypass vulnerability, CVE-2024-27198, in TeamCity On-Premises. JetBrains, the company behind TeamCity, has released an update addressing the issue, but it appears that the exploitation is widespread, with hundreds of new users being created on unpatched instances that are publicly accessible.

LeakIX, a search engine that identifies exposed device misconfigurations and vulnerabilities, has reported that approximately 1,700 TeamCity servers are yet to be patched. The majority of these vulnerable hosts are located in Germany, the United States, and Russia, with a smaller number in China, the Netherlands, and France. The platform indicates that hackers have already compromised more than 1,440 instances.

GreyNoise, a company specializing in the analysis of internet scanning traffic, recorded a sharp increase in attempts to exploit CVE-2024-27198 on March 5. Most attempts originate from systems in the United States on the DigitalOcean hosting infrastructure.

The compromised TeamCity servers are primarily production machines used for building and deploying software. This means that a compromise could potentially lead to supply-chain attacks, as these servers may contain sensitive information such as credentials for environments where code is deployed, published, or stored. Cybersecurity company Rapid7 echoed this concern in a blog post, stating, 'Compromising a TeamCity server allows an attacker full control over all TeamCity projects, builds, agents and artifacts, and as such is a suitable vector to position an attacker to perform a supply chain attack.'

CVE-2024-27198 has a critical severity score of 9.8 out of 10 and affects all releases up to 2023.11.4 of the on-premise version of TeamCity. The vulnerability allows a remote, unauthenticated attacker to take control of a vulnerable server with administrative privileges. It was discovered by Stephen Fewer, a principal security researcher at Rapid7, and reported to JetBrains in mid-February. A fix was released on March 4.

JetBrains has released TeamCity 2023.11.4, which includes a fix for CVE-2024-27198, and urges all users to update their instances to the latest version. Given the extensive exploitation already observed, administrators of on-premise TeamCity instances are advised to promptly install the latest release.

Related News

Latest News

Like what you see?

Get a digest of headlines, vulnerabilities, risk context, and more delivered to your inbox.

Subscribe Below

By submitting this form, you’re giving us permission to email you. You may unsubscribe at any time.

Accelerate Security Teams

Continuously identify and prioritize the risks that are most critical in your environment, and validate that your remediation efforts are reducing risk. An always-on single source-of-truth of your assets, services, and vulnerabilities.