{"description":"Trending threats, MITRE ATT\u0026CK coverage, and detection metadata — refreshed continuously.","feed_url":"https://feed.craftedsignal.io/tags/jetbrains/","home_page_url":"https://feed.craftedsignal.io/","items":[{"_cs_actors":[],"_cs_cves":[{"cvss":7.2,"id":"CVE-2026-33392"}],"_cs_exploited":false,"_cs_products":[],"_cs_severities":["critical"],"_cs_tags":["cve-2026-33392","rce","jetbrains","youtrack","sandbox-bypass"],"_cs_type":"advisory","_cs_vendors":[],"content_html":"\u003cp\u003eCVE-2026-33392 describes a remote code execution (RCE) vulnerability affecting JetBrains YouTrack servers before version 2025.3.131383. This vulnerability allows a high privileged user to bypass the application\u0026rsquo;s sandbox and execute arbitrary code on the underlying system. While the specific exploitation details are not provided in the source, successful exploitation would grant the attacker complete control over the YouTrack server and potentially the entire network. Given the potential for complete system compromise, organizations using affected versions of YouTrack should prioritize patching this vulnerability.\u003c/p\u003e\n\u003ch2 id=\"attack-chain\"\u003eAttack Chain\u003c/h2\u003e\n\u003col\u003e\n\u003cli\u003eAttacker authenticates to the YouTrack server with a high-privileged account.\u003c/li\u003e\n\u003cli\u003eAttacker crafts a malicious payload designed to exploit the sandbox bypass. This payload leverages the improper neutralization of special elements used in a template engine (CWE-1336).\u003c/li\u003e\n\u003cli\u003eThe attacker injects the malicious payload into a vulnerable field or function within YouTrack, such as a custom workflow or template.\u003c/li\u003e\n\u003cli\u003eThe YouTrack server processes the malicious payload, failing to properly sanitize the input.\u003c/li\u003e\n\u003cli\u003eThe injected payload bypasses the intended security sandbox restrictions.\u003c/li\u003e\n\u003cli\u003eArbitrary code is executed on the YouTrack server, outside the intended sandbox environment.\u003c/li\u003e\n\u003cli\u003eThe attacker leverages the gained code execution to install a webshell or other persistent access mechanisms.\u003c/li\u003e\n\u003cli\u003eThe attacker uses the compromised YouTrack server as a pivot point to access other systems within the network, potentially leading to data exfiltration or further malicious activities.\u003c/li\u003e\n\u003c/ol\u003e\n\u003ch2 id=\"impact\"\u003eImpact\u003c/h2\u003e\n\u003cp\u003eSuccessful exploitation of CVE-2026-33392 allows a high privileged user to execute arbitrary code on the YouTrack server. This can lead to complete system compromise, including data theft, modification, or destruction. The impact is especially significant for organizations that rely on YouTrack for critical project management and issue tracking, as a compromised server can disrupt operations, expose sensitive information, and damage reputation.\u003c/p\u003e\n\u003ch2 id=\"recommendation\"\u003eRecommendation\u003c/h2\u003e\n\u003cul\u003e\n\u003cli\u003eImmediately upgrade JetBrains YouTrack to version 2025.3.131383 or later to patch CVE-2026-33392.\u003c/li\u003e\n\u003cli\u003eImplement the provided Sigma rule to detect potential exploitation attempts against YouTrack servers.\u003c/li\u003e\n\u003cli\u003eReview and restrict high-privilege user access within YouTrack to minimize the potential attack surface.\u003c/li\u003e\n\u003cli\u003eMonitor web server logs for suspicious activity, particularly requests containing unusual characters or patterns indicative of code injection attempts, to assist with detection of similar exploits.\u003c/li\u003e\n\u003c/ul\u003e\n","date_modified":"2026-04-17T08:16:17Z","date_published":"2026-04-17T08:16:17Z","id":"/briefs/2026-04-jetbrains-rce/","summary":"A high privileged user can achieve remote code execution via sandbox bypass in JetBrains YouTrack before version 2025.3.131383, identified as CVE-2026-33392, potentially leading to complete system compromise.","title":"JetBrains YouTrack RCE via Sandbox Bypass (CVE-2026-33392)","url":"https://feed.craftedsignal.io/briefs/2026-04-jetbrains-rce/"},{"_cs_actors":[],"_cs_cves":[{"cvss":7.3,"id":"CVE-2024-27199"}],"_cs_exploited":true,"_cs_products":["TeamCity"],"_cs_severities":["critical"],"_cs_tags":["cve-2024-27199","path-traversal","ransomware","jetbrains"],"_cs_type":"threat","_cs_vendors":["JetBrains"],"content_html":"\u003cp\u003eCVE-2024-27199 is a relative path traversal vulnerability affecting JetBrains TeamCity, a continuous integration and deployment server. This vulnerability allows attackers to perform limited administrative actions by manipulating file paths. JetBrains released a patch for this vulnerability in version 2023.11.4. CISA has added CVE-2024-27199 to its Known Exploited Vulnerabilities catalog, indicating active exploitation in the wild, including its use in ransomware attacks. The vulnerability poses a significant risk to organizations using TeamCity, potentially leading to unauthorized access, data breaches, and system compromise.\u003c/p\u003e\n\u003ch2 id=\"attack-chain\"\u003eAttack Chain\u003c/h2\u003e\n\u003col\u003e\n\u003cli\u003eThe attacker identifies a vulnerable TeamCity server exposed to the internet.\u003c/li\u003e\n\u003cli\u003eThe attacker crafts a malicious HTTP request containing a relative path traversal sequence (e.g., \u003ccode\u003e../../\u003c/code\u003e) within a URL parameter related to administrative functions.\u003c/li\u003e\n\u003cli\u003eThe TeamCity server processes the crafted request without proper sanitization of the file path.\u003c/li\u003e\n\u003cli\u003eThe relative path traversal allows the attacker to access or modify restricted files or directories outside the intended scope.\u003c/li\u003e\n\u003cli\u003eThe attacker leverages the ability to perform limited admin actions, potentially modifying user permissions or injecting malicious code.\u003c/li\u003e\n\u003cli\u003eThe attacker escalates privileges, gaining full control over the TeamCity server.\u003c/li\u003e\n\u003cli\u003eThe attacker deploys ransomware to connected systems, encrypting data and demanding a ransom for its release.\u003c/li\u003e\n\u003c/ol\u003e\n\u003ch2 id=\"impact\"\u003eImpact\u003c/h2\u003e\n\u003cp\u003eSuccessful exploitation of CVE-2024-27199 can lead to complete compromise of the TeamCity server and connected build agents. Due to TeamCity\u0026rsquo;s central role in software development and deployment pipelines, this can lead to significant disruption, data loss, and potential supply chain attacks. The vulnerability has been linked to ransomware attacks, causing financial losses, reputational damage, and operational downtime for affected organizations.\u003c/p\u003e\n\u003ch2 id=\"recommendation\"\u003eRecommendation\u003c/h2\u003e\n\u003cul\u003e\n\u003cli\u003eApply the vendor-supplied patch by upgrading to TeamCity version 2023.11.4 or later to remediate CVE-2024-27199 (\u003ca href=\"https://www.jetbrains.com/privacy-security/issues-fixed/\"\u003ehttps://www.jetbrains.com/privacy-security/issues-fixed/\u003c/a\u003e).\u003c/li\u003e\n\u003cli\u003eDeploy the Sigma rules provided in this brief to detect exploitation attempts against TeamCity servers.\u003c/li\u003e\n\u003cli\u003eFollow CISA\u0026rsquo;s BOD 22-01 guidance for cloud services to ensure proper security configurations and monitoring are in place.\u003c/li\u003e\n\u003c/ul\u003e\n","date_modified":"2024-04-29T12:00:00Z","date_published":"2024-04-29T12:00:00Z","id":"/briefs/2024-04-teamcity-path-traversal/","summary":"A relative path traversal vulnerability in JetBrains TeamCity (CVE-2024-27199) could allow limited administrative actions and has been linked to ransomware attacks.","title":"JetBrains TeamCity Relative Path Traversal Vulnerability (CVE-2024-27199)","url":"https://feed.craftedsignal.io/briefs/2024-04-teamcity-path-traversal/"}],"language":"en","title":"CraftedSignal Threat Feed — Jetbrains","version":"https://jsonfeed.org/version/1.1"}