{"description":"Trending threats, MITRE ATT\u0026CK coverage, and detection metadata — refreshed continuously.","feed_url":"https://feed.craftedsignal.io/tags/teamcity/","home_page_url":"https://feed.craftedsignal.io/","items":[{"_cs_actors":[],"_cs_cves":[{"cvss":9.8,"id":"CVE-2024-27198"},{"cvss":7.3,"id":"CVE-2024-27199"}],"_cs_exploited":true,"_cs_products":[],"_cs_severities":["critical"],"_cs_tags":["teamcity","vulnerability","authentication bypass","path traversal","supply-chain"],"_cs_type":"threat","_cs_vendors":[],"content_html":"\u003cp\u003eJetBrains TeamCity, a CI/CD software platform, is vulnerable to CVE-2024-27198, an authentication bypass, and CVE-2024-27199, a path traversal vulnerability. These flaws affect TeamCity versions prior to 2023.11.4. Initially, there was no observed active exploitation. However, by March 7, 2024, widespread exploitation was detected following the public availability of proof-of-concept code. Attackers are actively exploiting these vulnerabilities to create new user accounts on publicly exposed, unpatched TeamCity instances. A substantial number of compromised servers are utilized as production machines for software building and deployment. These attacks have the potential to lead to supply-chain compromises by exposing sensitive information. CISA added CVE-2024-27199 to its Known Exploited Vulnerabilities catalog on April 20, 2026.\u003c/p\u003e\n\u003ch2 id=\"attack-chain\"\u003eAttack Chain\u003c/h2\u003e\n\u003col\u003e\n\u003cli\u003eThe attacker sends a crafted HTTP request to a vulnerable TeamCity server, exploiting CVE-2024-27198 to bypass authentication.\u003c/li\u003e\n\u003cli\u003eOnce authenticated (or bypassing authentication), the attacker leverages CVE-2024-27199, a path traversal vulnerability, to access sensitive files and directories on the server.\u003c/li\u003e\n\u003cli\u003eThe attacker reads configuration files containing credentials for other systems and services.\u003c/li\u003e\n\u003cli\u003eThe attacker creates new administrative user accounts on the TeamCity server to ensure persistent access.\u003c/li\u003e\n\u003cli\u003eThe attacker modifies build configurations to inject malicious code into software builds.\u003c/li\u003e\n\u003cli\u003eThe attacker compromises the software supply chain by injecting malicious code into build artifacts.\u003c/li\u003e\n\u003cli\u003eThe attacker uses stolen credentials to access deployment environments and deploy compromised builds.\u003c/li\u003e\n\u003c/ol\u003e\n\u003ch2 id=\"impact\"\u003eImpact\u003c/h2\u003e\n\u003cp\u003eSuccessful exploitation allows attackers to perform administrative actions on affected TeamCity servers, leading to a compromise of confidentiality, integrity, and availability of data and infrastructure. The compromise of TeamCity servers used for software building and deployment can result in supply-chain attacks, as these servers often contain sensitive information, such as credentials for deployment environments. A substantial portion of compromised TeamCity servers are utilized as production machines for software building and deployment processes, increasing the scope and impact of potential supply chain attacks.\u003c/p\u003e\n\u003ch2 id=\"recommendation\"\u003eRecommendation\u003c/h2\u003e\n\u003cul\u003e\n\u003cli\u003eImmediately patch all JetBrains TeamCity servers to version 2023.11.4 or later to remediate CVE-2024-27198 and CVE-2024-27199 (Reference: \u003ca href=\"https://www.jetbrains.com/privacy-security/issues-fixed/)\"\u003ehttps://www.jetbrains.com/privacy-security/issues-fixed/)\u003c/a\u003e.\u003c/li\u003e\n\u003cli\u003eDeploy the Sigma rule \u0026ldquo;Detect TeamCity Authentication Bypass Attempt\u0026rdquo; to your SIEM to detect exploitation attempts of CVE-2024-27198.\u003c/li\u003e\n\u003cli\u003eEnable web server logging and increase monitoring to detect suspicious activity related to path traversal attempts indicative of CVE-2024-27199 exploitation.\u003c/li\u003e\n\u003cli\u003eMonitor for the creation of new user accounts within TeamCity, especially administrative accounts, which could indicate successful exploitation.\u003c/li\u003e\n\u003c/ul\u003e\n","date_modified":"2026-04-22T10:00:00Z","date_published":"2026-04-22T10:00:00Z","id":"/briefs/2026-04-jetbrains-teamcity-vulns/","summary":"Unpatched JetBrains TeamCity servers are being actively exploited via an authentication bypass (CVE-2024-27198) and path traversal vulnerability (CVE-2024-27199), allowing attackers to perform administrative actions and potentially conduct supply-chain attacks.","title":"JetBrains TeamCity Authentication Bypass and Path Traversal Vulnerabilities","url":"https://feed.craftedsignal.io/briefs/2026-04-jetbrains-teamcity-vulns/"},{"_cs_actors":[],"_cs_cves":[{"cvss":9.8,"id":"CVE-2023-42793"}],"_cs_exploited":false,"_cs_products":["TeamCity"],"_cs_severities":["medium"],"_cs_tags":["teamcity","supply-chain","initial-access"],"_cs_type":"advisory","_cs_vendors":["JetBrains"],"content_html":"\u003cp\u003eJetBrains TeamCity is a continuous integration and deployment server, making it a high-value target for attackers. Exploitation of TeamCity vulnerabilities can lead to remote code execution, enabling adversaries to compromise the software development pipeline. This activity is detected by monitoring for suspicious child processes initiated by the TeamCity Java executable, focusing on executables like \u003ccode\u003ecmd.exe\u003c/code\u003e, \u003ccode\u003epowershell.exe\u003c/code\u003e, and \u003ccode\u003emsiexec.exe\u003c/code\u003e. The detection logic excludes legitimate operations to reduce false positives. This activity can lead to complete compromise of the build environment, allowing attackers to inject malicious code into software builds.\u003c/p\u003e\n\u003ch2 id=\"attack-chain\"\u003eAttack Chain\u003c/h2\u003e\n\u003col\u003e\n\u003cli\u003e\u003cstrong\u003eInitial Access:\u003c/strong\u003e An attacker exploits a vulnerability (e.g., CVE-2023-42793) in the TeamCity server to gain initial access.\u003c/li\u003e\n\u003cli\u003e\u003cstrong\u003eCode Execution:\u003c/strong\u003e The attacker leverages the vulnerability to execute arbitrary code on the TeamCity server.\u003c/li\u003e\n\u003cli\u003e\u003cstrong\u003eProcess Spawning:\u003c/strong\u003e The attacker spawns a command interpreter, such as \u003ccode\u003ecmd.exe\u003c/code\u003e or \u003ccode\u003epowershell.exe\u003c/code\u003e, from the TeamCity Java process (\u003ccode\u003ejava.exe\u003c/code\u003e).\u003c/li\u003e\n\u003cli\u003e\u003cstrong\u003eDiscovery:\u003c/strong\u003e The attacker uses discovery commands via the spawned shell to enumerate users, network configuration, and running processes using tools like \u003ccode\u003ewhoami.exe\u003c/code\u003e, \u003ccode\u003eipconfig.exe\u003c/code\u003e, and \u003ccode\u003etasklist.exe\u003c/code\u003e.\u003c/li\u003e\n\u003cli\u003e\u003cstrong\u003eDefense Evasion:\u003c/strong\u003e The attacker leverages system binary proxy execution using tools like \u003ccode\u003emshta.exe\u003c/code\u003e or \u003ccode\u003eregsvr32.exe\u003c/code\u003e to evade detection.\u003c/li\u003e\n\u003cli\u003e\u003cstrong\u003ePersistence:\u003c/strong\u003e While not explicitly mentioned, the attacker could establish persistence by creating scheduled tasks or modifying registry keys via spawned processes.\u003c/li\u003e\n\u003cli\u003e\u003cstrong\u003eLateral Movement:\u003c/strong\u003e The attacker uses discovered credentials to move laterally to other systems within the network.\u003c/li\u003e\n\u003cli\u003e\u003cstrong\u003eImpact:\u003c/strong\u003e The attacker injects malicious code into software builds, compromises sensitive data, or deploys ransomware.\u003c/li\u003e\n\u003c/ol\u003e\n\u003ch2 id=\"impact\"\u003eImpact\u003c/h2\u003e\n\u003cp\u003eSuccessful exploitation of JetBrains TeamCity can lead to a full compromise of the software development lifecycle, resulting in supply chain attacks. Attackers can inject malicious code into software builds, leading to widespread distribution of compromised software. While specific victim counts are unavailable, this type of attack has the potential to affect numerous organizations relying on the compromised software. The Trend Micro research indicates that TeamCity vulnerability exploits can lead to Jasmin ransomware deployment.\u003c/p\u003e\n\u003ch2 id=\"recommendation\"\u003eRecommendation\u003c/h2\u003e\n\u003cul\u003e\n\u003cli\u003eDeploy the \u0026ldquo;Suspicious JetBrains TeamCity Child Process\u0026rdquo; rule to your SIEM to detect potential exploitation attempts.\u003c/li\u003e\n\u003cli\u003eEnable Sysmon process creation logging to capture process execution events, which are essential for triggering the detection rule.\u003c/li\u003e\n\u003cli\u003eReview and patch any known vulnerabilities in JetBrains TeamCity, focusing on remote code execution flaws as described in the referenced Trend Micro report.\u003c/li\u003e\n\u003cli\u003eImplement network segmentation to limit the impact of a compromised TeamCity server and prevent lateral movement.\u003c/li\u003e\n\u003cli\u003eContinuously monitor TeamCity server logs for any unusual activity or unauthorized access attempts.\u003c/li\u003e\n\u003cli\u003eTune the \u0026ldquo;Suspicious JetBrains TeamCity Child Process\u0026rdquo; rule by creating exceptions for legitimate build scripts that invoke command-line utilities to reduce false positives, as mentioned in the rule\u0026rsquo;s documentation.\u003c/li\u003e\n\u003c/ul\u003e\n","date_modified":"2024-05-15T12:00:00Z","date_published":"2024-05-15T12:00:00Z","id":"/briefs/2024-05-jetbrains-teamcity-suspicious-child-process/","summary":"Detection of suspicious processes spawned by JetBrains TeamCity indicates potential exploitation of remote code execution vulnerabilities, with attackers using command interpreters and system binaries for malicious purposes.","title":"Suspicious Child Processes Spawned by JetBrains TeamCity","url":"https://feed.craftedsignal.io/briefs/2024-05-jetbrains-teamcity-suspicious-child-process/"}],"language":"en","title":"CraftedSignal Threat Feed — Teamcity","version":"https://jsonfeed.org/version/1.1"}