Massive Exploitation of TeamCity Auth Bypass Vulnerability Leads to Creation of Admin Accounts
March 7, 2024
Hackers have begun to exploit a critical-severity authentication bypass vulnerability, CVE-2024-27198, in TeamCity On-Premises. JetBrains, the company behind TeamCity, has released an update addressing the issue, but it appears that the exploitation is widespread, with hundreds of new users being created on unpatched instances that are publicly accessible.
LeakIX, a search engine that identifies exposed device misconfigurations and vulnerabilities, has reported that approximately 1,700 TeamCity servers are yet to be patched. The majority of these vulnerable hosts are located in Germany, the United States, and Russia, with a smaller number in China, the Netherlands, and France. The platform indicates that hackers have already compromised more than 1,440 instances.
GreyNoise, a company specializing in the analysis of internet scanning traffic, recorded a sharp increase in attempts to exploit CVE-2024-27198 on March 5. Most attempts originate from systems in the United States on the DigitalOcean hosting infrastructure.
The compromised TeamCity servers are primarily production machines used for building and deploying software. This means that a compromise could potentially lead to supply-chain attacks, as these servers may contain sensitive information such as credentials for environments where code is deployed, published, or stored. Cybersecurity company Rapid7 echoed this concern in a blog post, stating, 'Compromising a TeamCity server allows an attacker full control over all TeamCity projects, builds, agents and artifacts, and as such is a suitable vector to position an attacker to perform a supply chain attack.'
CVE-2024-27198 has a critical severity score of 9.8 out of 10 and affects all releases up to 2023.11.4 of the on-premise version of TeamCity. The vulnerability allows a remote, unauthenticated attacker to take control of a vulnerable server with administrative privileges. It was discovered by Stephen Fewer, a principal security researcher at Rapid7, and reported to JetBrains in mid-February. A fix was released on March 4.
JetBrains has released TeamCity 2023.11.4, which includes a fix for CVE-2024-27198, and urges all users to update their instances to the latest version. Given the extensive exploitation already observed, administrators of on-premise TeamCity instances are advised to promptly install the latest release.
Related News
- Critical Vulnerabilities in TeamCity Pose Threat to Software Supply Chain
- Critical Exploit for TeamCity Auth Bypass Bug Available: Immediate Patching Recommended
Latest News
- Critical ESXi Sandbox Escape Vulnerabilities Addressed by VMware in Urgent Updates
- Apple Responds to Exploited iOS Zero-Days with Emergency Security Updates
- CISA Lists Windows Kernel Bug Exploited by Lazarus Group in its Known Exploited Vulnerabilities Catalog
- Critical Vulnerabilities in TeamCity Pose Threat to Software Supply Chain
- Critical Exploit for TeamCity Auth Bypass Bug Available: Immediate Patching Recommended
Like what you see?
Get a digest of headlines, vulnerabilities, risk context, and more delivered to your inbox.