CVE-2024-27199

JetBrains TeamCity — Pre-Auth Path Traversal Bypassing Authentication on Limited Admin Endpoints
⚠️ CVSS 3.1  7.3 / 10 — HIGH 🔴 CISA Known Exploited Vulnerability

What is JetBrains TeamCity?

JetBrains TeamCity is a widely adopted continuous integration and continuous delivery (CI/CD) server used by development teams across startups, enterprises, and government organizations to automate the build, test, and deployment pipeline for software. TeamCity On-Premises — the version affected by this CVE — is self-hosted and typically has elevated access to source code repositories, build artifacts, deployment credentials, cloud provider keys, and production environment configurations.

Compromising a TeamCity server gives an attacker full control over the software supply chain: they can inject malicious code into builds, steal signing keys and secrets, or pivot into every environment the CI/CD system touches — including production. This makes TeamCity a high-value target in supply chain attacks.

Overview

Actively Exploited. This vulnerability has been added to CISA's Known Exploited Vulnerabilities (KEV) Catalog on April 20, 2026 with a remediation deadline of May 4, 2026. Federal agencies are required to apply mitigations per BOD 22-01.

CVE-2024-27199 is a relative path traversal vulnerability (CWE-23) in the web component of JetBrains TeamCity On-Premises. By prepending unauthenticated-allowed path prefixes (such as /res/ or /update/) with double-dot path segments (/../), a remote unauthenticated attacker can reach a limited number of administrative JSP pages and servlet endpoints that were intended to require authentication. This enables information disclosure and modification of certain system settings without credentials.

This CVE was disclosed alongside CVE-2024-27198 (CVSS 9.8 — full authentication bypass enabling unauthenticated RCE), which saw immediate mass exploitation. While CVE-2024-27199 is less severe in isolation, it was used in tandem with CVE-2024-27198 in observed attacks and has independently been leveraged to leak configuration data and modify HTTPS certificates.

Affected Versions

Status TeamCity On-Premises Version
Vulnerable All versions prior to 2023.11.4
Fixed 2023.11.4 and later

TeamCity Cloud was not affected — only self-hosted On-Premises installations.

Technical Details

Several TeamCity URL paths are served without authentication checks, as they are intended for public resources, update packages, or ACME challenge responses:

  • /res/
  • /update/
  • /.well-known/acme-challenge/

The vulnerability arises because TeamCity's authentication filter evaluates only the prefix of the requested path when deciding whether authentication is required. By inserting /../ after one of these exempt prefixes, an attacker can traverse to an entirely different endpoint while the filter still considers the request unauthenticated-exempt.

Example exploit request:

GET /res/../admin/diagnostic.jsp HTTP/1.1
Host: teamcity.example.com

This request reaches the administrative diagnostics JSP page — which leaks server configuration, environment variables, and internal details — without any session cookie or authentication header.

Vulnerable endpoints reachable via this technique include:

  • JSP pages that leak server diagnostic information
  • Servlet endpoints that expose system settings and allow limited modifications (e.g., replacing the server's HTTPS certificate with an attacker-controlled one)

Attack characteristics:

  • Authentication required: None
  • Attack complexity: Low
  • Network-accessible: Yes
  • User interaction: None

Discovery

CVE-2024-27199 was discovered by Rapid7's vulnerability research team in February 2024. Rapid7 coordinated disclosure with JetBrains, allowing the vendor to prepare and release TeamCity 2023.11.4 on March 3, 2024 — one day before the coordinated public disclosure on March 4, 2024.

Exploitation Context

Within days of the March 4, 2024 disclosure, multiple public proof-of-concept exploits for CVE-2024-27198 (the more severe companion vulnerability) appeared on GitHub, triggering mass exploitation campaigns. CVE-2024-27199 was used in these campaigns both independently and chained with CVE-2024-27198.

Observed threat actor activity against unpatched TeamCity servers included:

  • Deployment of Jasmin ransomware (Trend Micro, March 2024)
  • Installation of Cobalt Strike beacons and remote access tools
  • Credential harvesting from TeamCity's built-in secret store
  • Creation of rogue admin accounts for persistence
  • Supply chain staging — injecting malicious build steps into CI/CD pipelines

TeamCity's access to deployment secrets makes these servers particularly attractive: an attacker who controls a CI/CD server can potentially compromise every application the organization deploys.

Remediation

CISA BOD 22-01 Deadline: May 4, 2026. Apply the patch immediately. Unpatched TeamCity instances should be treated as potentially compromised — audit for unauthorized admin accounts and pipeline modifications.
  1. Upgrade to TeamCity On-Premises 2023.11.4 or later. The patch is available via JetBrains' standard update channels. There are no workarounds that fully address this vulnerability.
  2. If immediate patching is not possible, restrict external network access to the TeamCity server. Place it behind a VPN or firewall so only authorized personnel can reach the web interface.
  3. Audit for indicators of compromise: review admin account list for unauthorized additions, check build configurations for injected malicious steps, and review access logs for GET /res/../ or GET /update/../ patterns.
  4. Rotate all secrets stored in TeamCity: VCS credentials, deployment tokens, cloud provider keys, and any secrets configured in build parameters.
  5. Review build pipeline outputs for any builds that executed unexpectedly or that touched production environments during the vulnerability window.

Key Details

PropertyValue
CVE ID CVE-2024-27199
Vendor / Product JetBrains — TeamCity
NVD Published2024-03-04
NVD Last Modified2026-04-21
CVSS 3.1 Score7.3
CVSS 3.1 VectorCVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:L
SeverityHIGH
CWE CWE-23 — Relative Path Traversal
CISA KEV Added2026-04-20
CISA KEV Deadline2026-05-04
Known Ransomware Use ⚠️ Yes

CVSS 3.1 Breakdown

Attack Vector
Network
Attack Complexity
Low
Privileges Required
None
User Interaction
None
Scope
Unchanged
Confidentiality
Low
Integrity
Low
Availability
Low

Required Action

CISA BOD 22-01 Deadline: 2026-05-04. Apply mitigations per vendor instructions, follow applicable BOD 22-01 guidance for cloud services, or discontinue use of the product if mitigations are unavailable.

Timeline

DateEvent
2024-02-01Rapid7 vulnerability research team identifies CVE-2024-27198 and CVE-2024-27199 in TeamCity
2024-03-03JetBrains releases TeamCity 2023.11.4, patching both vulnerabilities
2024-03-04JetBrains and Rapid7 publish coordinated disclosure; CVE published on NVD
2024-03-06Public proof-of-concept exploits for CVE-2024-27198 circulate widely on GitHub; mass exploitation begins
2024-03-19Trend Micro reports exploitation leading to Jasmin ransomware deployment
2026-04-20Added to CISA Known Exploited Vulnerabilities catalog
2026-05-04CISA BOD 22-01 remediation deadline

References

ResourceType
NVD — CVE-2024-27199 Vulnerability Database
JetBrains Blog — CVE-2024-27198 and CVE-2024-27199 Security Advisory Vendor Advisory / Patch
Rapid7 — JetBrains TeamCity Multiple Authentication Bypass Vulnerabilities Security Research
Trend Micro — TeamCity Vulnerability Exploits Lead to Jasmin Ransomware Press/Media Coverage
Picus Security — TeamCity Authentication Bypass Vulnerabilities Explained Security Research
CISA KEV Catalog Entry US Government
CISA BOD 22-01 Remediation Directive
CWE-23 — Relative Path Traversal Weakness Classification

Last updated: 2026-04-22

Gavin Hollinger & AI assembled this air-gap friendly HTML