Widespread Exploitation of Critical TeamCity Flaw to Create Admin Accounts

March 7, 2024

Hackers have begun exploiting a critical authentication bypass vulnerability, CVE-2024-27198, in TeamCity On-Premises, a product of JetBrains. The company addressed the flaw in an update earlier this week. The scale of exploitation is significant, with hundreds of new users being created on unpatched TeamCity instances that are exposed on the internet. According to data from LeakIX, a search engine for exposed device vulnerabilities, over 1,700 TeamCity servers are yet to implement the fix. Vulnerable hosts are primarily located in Germany, the U.S., and Russia, followed by China, the Netherlands, and France. The platform indicates that hackers have already compromised more than 1,440 instances.

LeakIX reported that compromised instances usually have between 3 and 300 new users, typically with 8 alphanumeric characters. GreyNoise, an internet scanning traffic analysis firm, also recorded a sharp increase in attempts to exploit CVE-2024-27198 on March 5. The majority of these attempts originate from U.S.-based systems on the DigitalOcean hosting infrastructure.

Gregory Boddin from LeakIX noted that the observed TeamCity servers are production machines used for building and deploying software. This suggests that their compromise could potentially lead to supply-chain attacks, as these servers may contain sensitive information such as credentials for the environments where code is deployed, published, or stored. Cybersecurity firm Rapid7 echoed this concern in a blog post, stating, “Compromising a TeamCity server allows an attacker full control over all TeamCity projects, builds, agents and artifacts, and as such is a suitable vector to position an attacker to perform a supply chain attack”.

The vulnerability, CVE-2024-27198, has a critical severity score of 9.8 out of 10 and affects all releases up to 2023.11.4 of the on-premise version of TeamCity. It resides in the server's web component and can allow a remote, unauthenticated attacker to take control of a vulnerable server with administrative privileges. The vulnerability was discovered by Stephen Fewer, a principal security researcher at Rapid7, who reported it to JetBrains in mid-February. The company released a fix for the flaw on March 4.

JetBrains announced the release of TeamCity 2023.11.4 on Monday, which includes a fix for CVE-2024-27198. They are urging all users to update their instances to the latest version. Given the widespread exploitation that has already been observed, administrators of on-premise TeamCity instances should urgently install the newest release.

Related News

Latest News

Like what you see?

Get a digest of headlines, vulnerabilities, risk context, and more delivered to your inbox.

Subscribe Below

By submitting this form, you’re giving us permission to email you. You may unsubscribe at any time.

Accelerate Security Teams

Continuously identify and prioritize the risks that are most critical in your environment, and validate that your remediation efforts are reducing risk. An always-on single source-of-truth of your assets, services, and vulnerabilities.