https://feed.craftedsignal.io/tags/teamcity/Trending threats, MITRE ATT&CK coverage, and detection metadata — refreshed continuously.Hugoenhello@craftedsignal.iohello@craftedsignal.ioWed, 22 Apr 2026 10:00:00 +0000https://feed.craftedsignal.io/briefs/2026-04-jetbrains-teamcity-vulns/Wed, 22 Apr 2026 10:00:00 +0000hello@craftedsignal.iohttps://feed.craftedsignal.io/briefs/2026-04-jetbrains-teamcity-vulns/Unpatched JetBrains TeamCity servers are being actively exploited via an authentication bypass (CVE-2024-27198) and path traversal vulnerability (CVE-2024-27199), allowing attackers to perform administrative actions and potentially conduct supply-chain attacks.JetBrains TeamCity, a CI/CD software platform, is vulnerable to CVE-2024-27198, an authentication bypass, and CVE-2024-27199, a path traversal vulnerability. These flaws affect TeamCity versions prior to 2023.11.4. Initially, there was no observed active exploitation. However, by March 7, 2024, widespread exploitation was detected following the public availability of proof-of-concept code. Attackers are actively exploiting these vulnerabilities to create new user accounts on publicly exposed, unpatched TeamCity instances. A substantial number of compromised servers are utilized as production machines for software building and deployment. These attacks have the potential to lead to supply-chain compromises by exposing sensitive information. CISA added CVE-2024-27199 to its Known Exploited Vulnerabilities catalog on April 20, 2026.

Attack Chain

1. The attacker sends a crafted HTTP request to a vulnerable TeamCity server, exploiting CVE-2024-27198 to bypass authentication.
2. Once authenticated (or bypassing authentication), the attacker leverages CVE-2024-27199, a path traversal vulnerability, to access sensitive files and directories on the server.
3. The attacker reads configuration files containing credentials for other systems and services.
4. The attacker creates new administrative user accounts on the TeamCity server to ensure persistent access.
5. The attacker modifies build configurations to inject malicious code into software builds.
6. The attacker compromises the software supply chain by injecting malicious code into build artifacts.
7. The attacker uses stolen credentials to access deployment environments and deploy compromised builds.

Impact

Successful exploitation allows attackers to perform administrative actions on affected TeamCity servers, leading to a compromise of confidentiality, integrity, and availability of data and infrastructure. The compromise of TeamCity servers used for software building and deployment can result in supply-chain attacks, as these servers often contain sensitive information, such as credentials for deployment environments. A substantial portion of compromised TeamCity servers are utilized as production machines for software building and deployment processes, increasing the scope and impact of potential supply chain attacks.

Recommendation

• Immediately patch all JetBrains TeamCity servers to version 2023.11.4 or later to remediate CVE-2024-27198 and CVE-2024-27199 (Reference: https://www.jetbrains.com/privacy-security/issues-fixed/).
• Deploy the Sigma rule “Detect TeamCity Authentication Bypass Attempt” to your SIEM to detect exploitation attempts of CVE-2024-27198.
• Enable web server logging and increase monitoring to detect suspicious activity related to path traversal attempts indicative of CVE-2024-27199 exploitation.
• Monitor for the creation of new user accounts within TeamCity, especially administrative accounts, which could indicate successful exploitation.

]]>criticalthreatteamcityvulnerabilityauthentication bypasspath traversalsupply-chainhttps://feed.craftedsignal.io/briefs/2024-05-jetbrains-teamcity-suspicious-child-process/Wed, 15 May 2024 12:00:00 +0000hello@craftedsignal.iohttps://feed.craftedsignal.io/briefs/2024-05-jetbrains-teamcity-suspicious-child-process/Detection of suspicious processes spawned by JetBrains TeamCity indicates potential exploitation of remote code execution vulnerabilities, with attackers using command interpreters and system binaries for malicious purposes.JetBrains TeamCity is a continuous integration and deployment server, making it a high-value target for attackers. Exploitation of TeamCity vulnerabilities can lead to remote code execution, enabling adversaries to compromise the software development pipeline. This activity is detected by monitoring for suspicious child processes initiated by the TeamCity Java executable, focusing on executables like cmd.exe, powershell.exe, and msiexec.exe. The detection logic excludes legitimate operations to reduce false positives. This activity can lead to complete compromise of the build environment, allowing attackers to inject malicious code into software builds.

Attack Chain

1. Initial Access: An attacker exploits a vulnerability (e.g., CVE-2023-42793) in the TeamCity server to gain initial access.
2. Code Execution: The attacker leverages the vulnerability to execute arbitrary code on the TeamCity server.
3. Process Spawning: The attacker spawns a command interpreter, such as cmd.exe or powershell.exe, from the TeamCity Java process (java.exe).
4. Discovery: The attacker uses discovery commands via the spawned shell to enumerate users, network configuration, and running processes using tools like whoami.exe, ipconfig.exe, and tasklist.exe.
5. Defense Evasion: The attacker leverages system binary proxy execution using tools like mshta.exe or regsvr32.exe to evade detection.
6. Persistence: While not explicitly mentioned, the attacker could establish persistence by creating scheduled tasks or modifying registry keys via spawned processes.
7. Lateral Movement: The attacker uses discovered credentials to move laterally to other systems within the network.
8. Impact: The attacker injects malicious code into software builds, compromises sensitive data, or deploys ransomware.

Impact

Successful exploitation of JetBrains TeamCity can lead to a full compromise of the software development lifecycle, resulting in supply chain attacks. Attackers can inject malicious code into software builds, leading to widespread distribution of compromised software. While specific victim counts are unavailable, this type of attack has the potential to affect numerous organizations relying on the compromised software. The Trend Micro research indicates that TeamCity vulnerability exploits can lead to Jasmin ransomware deployment.

Recommendation

• Deploy the “Suspicious JetBrains TeamCity Child Process” rule to your SIEM to detect potential exploitation attempts.
• Enable Sysmon process creation logging to capture process execution events, which are essential for triggering the detection rule.
• Review and patch any known vulnerabilities in JetBrains TeamCity, focusing on remote code execution flaws as described in the referenced Trend Micro report.
• Implement network segmentation to limit the impact of a compromised TeamCity server and prevent lateral movement.
• Continuously monitor TeamCity server logs for any unusual activity or unauthorized access attempts.
• Tune the “Suspicious JetBrains TeamCity Child Process” rule by creating exceptions for legitimate build scripts that invoke command-line utilities to reduce false positives, as mentioned in the rule’s documentation.

]]>mediumadvisoryteamcitysupply-chaininitial-access