What is JetBrains TeamCity?
JetBrains TeamCity is a widely used continuous integration and continuous delivery (CI/CD) server used by software development teams to automate building, testing, and deploying software. TeamCity manages build configurations, stores VCS (version control system) credentials (Git, SVN), artifact registries, deployment credentials, and API keys for connected infrastructure. The platform executes build scripts and deployment pipelines with privileged access to production environments. TeamCity compromise enables supply chain attacks: an attacker with admin access can modify build configurations to inject malicious code into software builds, steal all stored credentials, and access connected cloud and on-premises deployment targets.
Overview
CVE-2023-42793 is a critical authentication bypass vulnerability in JetBrains TeamCity On-Premises that allows an unauthenticated attacker to create an administrator access token and use it for full RCE on the TeamCity server. Patched on September 18, 2023, it was publicly exploited within hours via a Rapid7 PoC. CISA added it to KEV on October 4, and a subsequent joint advisory from CISA, NSA, FBI, and partner agencies confirmed active exploitation by APT29 (Russian SVR) and North Korean threat actors targeting software supply chains.
Affected Versions
| Product | Vulnerable | Fixed |
|---|---|---|
| TeamCity On-Premises | All versions before 2023.05.4 | 2023.05.4 |
TeamCity Cloud (JetBrains-hosted) was patched automatically and is not affected.
Technical Details
CWE-288 (Authentication Bypass Using an Alternate Path or Channel). TeamCity's REST API contains an endpoint that, under certain conditions, can be accessed without authentication. The vulnerable endpoint allows creation of a new administrative authentication token. An unauthenticated attacker can:
- Send a crafted HTTP request to the vulnerable API endpoint to generate a new admin token
- Use the generated admin token to authenticate to TeamCity as a server administrator
- As a TeamCity admin, execute arbitrary OS commands via TeamCity's agent management interface, plugin installation, or external process execution functionality
The complete attack chain from unauthenticated access to OS command execution was publicly demonstrated by Rapid7 the day after patching, dramatically accelerating exploitation. The endpoint does not require any credentials or prior knowledge about the target TeamCity instance.
Discovery
Discovered by Rapid7 security research, who responsibly disclosed to JetBrains. JetBrains released the patch on September 18; Rapid7 published a PoC on September 19. The public PoC enabled rapid weaponization by threat actors who began mass exploitation of internet-facing TeamCity instances within days.
Exploitation Context
Two nation-state actor categories were confirmed exploiting CVE-2023-42793:
APT29 (Russian SVR / Cozy Bear): Used TeamCity access to conduct supply chain intrusions — a continuation of SolarWinds-style tactics targeting software build infrastructure. Gaining TeamCity admin access provides SVR with the ability to inject malicious code into software products built by compromised companies, potentially affecting downstream customers.
North Korean actors (tracked as Diamond Sleet / ZINC and Onyx Sleet / PLUTONIUM): Exploited TeamCity for initial access to software companies, harvesting credentials for further intrusion, cryptomining deployment, and intellectual property theft from the CI/CD environment.
Ransomware groups also exploited TeamCity as an initial access vector, using admin access to execute commands and deploy ransomware across connected build and deployment infrastructure.
Remediation
- Upgrade to TeamCity 2023.05.4 or later immediately.
- If immediate upgrade is not possible, use JetBrains' security patch plugin (available separately) as a temporary mitigation.
- Review TeamCity admin access logs for token creation events — look for tokens created from unexpected IPs or at unusual times around the September-October 2023 period.
- Audit all TeamCity VCS roots (Git/SVN credentials), build configurations, and deployment credentials — any stored credential may have been harvested if the instance was compromised.
- Check for unexpected build configuration modifications, new user accounts, or plugin installations that could indicate backdoor implantation.
- Restrict TeamCity internet access to authenticated users via VPN — TeamCity management should not be publicly internet-accessible.
- Rotate all credentials stored in TeamCity: VCS tokens, cloud provider API keys, deployment SSH keys, and artifact registry credentials.
Key Details
| Property | Value |
|---|---|
| CVE ID | CVE-2023-42793 |
| Vendor / Product | JetBrains — TeamCity |
| NVD Published | 2023-09-19 |
| NVD Last Modified | 2025-10-24 |
| CVSS 3.1 Score | 9.8 |
| CVSS 3.1 Vector | CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H |
| Severity | CRITICAL |
| CWE | CWE-288 find similar ↗ |
| CISA KEV Added | 2023-10-04 |
| CISA KEV Deadline | 2023-10-25 |
| Known Ransomware Use | ⚠️ Yes |
CVSS 3.1 Breakdown
Required Action
Timeline
| Date | Event |
|---|---|
| 2023-09-18 | JetBrains releases TeamCity 2023.05.4 patching CVE-2023-42793 |
| 2023-09-19 | Rapid7 publishes PoC demonstrating complete unauthenticated RCE chain |
| 2023-10-04 | CISA adds to Known Exploited Vulnerabilities catalog |
| 2023-10-18 | CISA, NSA, FBI, and international partners issue joint advisory attributing exploitation to APT29 (Russia) and North Korean actors |
| 2023-10-25 | CISA BOD 22-01 remediation deadline |
References
| Resource | Type |
|---|---|
| JetBrains Security Advisory — CVE-2023-42793 | Vendor Advisory |
| NVD — CVE-2023-42793 | Vulnerability Database |
| CISA KEV Catalog Entry | US Government |