CVE-2024-27198

What is JetBrains TeamCity?

JetBrains TeamCity is a widely deployed continuous integration and continuous delivery (CI/CD) server used by software development teams to automate build, test, and deployment pipelines. TeamCity is particularly prevalent in enterprise Java/.NET development environments and is used by many software companies as their primary CI/CD system. A compromised TeamCity server is an ideal target for supply chain attacks: it has access to source code repositories, build secrets, deployment credentials, code signing certificates, and the ability to inject malicious code into build artifacts. The 2021 SolarWinds compromise demonstrated how devastating CI/CD compromise can be — making TeamCity a persistently high-priority target for sophisticated threat actors.

Overview

CVE-2024-27198 is an authentication bypass vulnerability (CWE-288) in JetBrains TeamCity On-Premises that allows an unauthenticated remote attacker to bypass authentication by accessing certain API endpoints via alternative paths. Discovered by Rapid7 and published alongside companion CVE-2024-27199, the vulnerability allows an attacker to create a new admin-level user account on the TeamCity server — effectively taking full control without any prior credentials. CISA added it to the KEV catalog just 3 days after the patch, reflecting immediate mass exploitation. North Korean threat actors (linked to APT45/Lazarus) and ransomware affiliates both exploited it within days of public disclosure.

Affected Versions

TeamCity Cloud (JetBrains-hosted) was patched separately and was not affected by the time of public disclosure.

Technical Details

The authentication bypass (CWE-288) exploits alternative path routing in TeamCity's REST API and HTTP request handling. TeamCity's authentication middleware validates requests based on the URL path — certain paths are marked as requiring authentication and others as public. By accessing authenticated API endpoints via alternative URL paths (e.g., using path manipulation or alternate endpoint aliases), an attacker can reach privileged functionality without passing through the authentication check.

Exploit steps (as demonstrated by Rapid7 and widely reproduced):

1. Attacker accesses the TeamCity web UI's REST API via an alternative path that bypasses authentication
2. Sends a request to create a new system administrator user account with attacker-controlled credentials
3. Logs in as the new admin user
4. Executes build steps or modifies project configurations to run arbitrary commands on TeamCity build agents and the server itself

Supply chain impact: With admin access to TeamCity, an attacker can:

• Modify VCS root credentials to exfiltrate source code
• Inject malicious build steps that embed backdoors in compiled artifacts
• Access all stored build parameters and secrets (passwords, API keys, tokens)
• Trigger builds with custom scripts on build agents (achieving RCE on multiple machines)

CVE-2024-27199 companion: A second authentication bypass in the same release, with lower CVSS (7.3) — allows limited information disclosure and configuration changes without authentication.

Discovery

Rapid7 (Stephen Fewer), published March 4, 2024 coordinated with JetBrains. Rapid7 published a full technical writeup and working PoC demonstrating admin account creation.

Exploitation Context

CISA added CVE-2024-27198 to the KEV catalog 3 days after the patch. Within the week:

• North Korean APT (APT45/Lazarus-linked): Multiple government and security vendors documented North Korean threat actors scanning for and exploiting internet-facing TeamCity instances to establish persistent access for software supply chain compromises
• Ransomware affiliates: Multiple ransomware groups used TeamCity access to deploy ransomware on development teams' internal networks
• Mass scanning: Within 24 hours of Rapid7's publication, global mass scanning for exposed TeamCity instances began

The exploitation was particularly severe because thousands of TeamCity instances are internet-facing, and JetBrains initially released a temporary security patch plugin in addition to the full version update — operators who applied the plugin but not the full 2023.11.4 update remained vulnerable.

Remediation

1. Upgrade to TeamCity On-Premises 2023.11.4 immediately. The CISA deadline was March 28, 2024.
2. Audit TeamCity user accounts for unauthorized administrator accounts created via the exploit — check all accounts created after March 4, 2024.
3. Rotate all TeamCity-stored secrets: VCS credentials, deployment tokens, SSH keys, and any secrets stored as build parameters.
4. Review build history for injected build steps or modified project configurations during the exposure window.
5. Restrict internet access to TeamCity — the TeamCity web interface should not be directly internet-accessible; place it behind a VPN or IP allowlist.
6. Audit build artifacts produced during the exposure window for potential malicious code injection.