TeamCity path traversal exploited in the wild (CVE-2024-27199)

Actively exploited in the wild - CVE-2024-27199 is a high path traversal in JetBrains TeamCity versions before 2023.11.4 that lets unauthenticated attackers bypass authentication and perform limited administrative actions. Upgrade to version 2023.11.4 immediately to block exploitation.

Overview

A critical path traversal vulnerability, CVE-2024-27199, affects JetBrains TeamCity CI/CD servers. This flaw allows an unauthenticated, network-based attacker to bypass authentication and perform a limited set of administrative actions. The Cybersecurity and Infrastructure Security Agency (CISA) has confirmed this vulnerability is being actively exploited in the wild, and its high EPSS score indicates an 82.5% probability of exploitation within the next 30 days.

Vulnerability Details

In TeamCity versions before 2023.11.4, improper path validation allows an attacker to craft a specific HTTP request to access administrative endpoints without requiring valid credentials. While the attacker’s actions are limited to specific administrative functions and do not grant full administrator control, the potential impact remains severe.

Impact

An attacker exploiting this vulnerability can perform actions that compromise the integrity and security of the TeamCity server. This could include modifying server settings, interfering with build processes, or potentially using the server as a foothold to attack other internal systems. Given TeamCity’s central role in software development and deployment, a compromise can lead to supply chain attacks, data theft, or the deployment of malicious code.

Affected Versions

All TeamCity On-Premises versions prior to 2023.11.4 are affected. TeamCity Cloud instances have already been patched by JetBrains.

Remediation and Mitigation

The primary and immediate action is to upgrade your TeamCity server to version 2023.11.4 or later. JetBrains has released patches that address this vulnerability.

If immediate patching is not possible, you should implement strict network access controls. Restrict access to the TeamCity server’s web interface (by default, port 8111) to only trusted IP addresses, such as those from your corporate network or VPN. Monitor your TeamCity server logs for any suspicious access attempts, particularly from unexpected source IPs. For the latest breach tactics, you can review recent breach reports.

Security Insight

This vulnerability is part of a concerning trend where CI/CD platforms are being aggressively targeted by threat actors. Similar to the widespread exploitation of vulnerabilities in Jenkins and GitLab, attacks on TeamCity aim to hijack the software supply chain. The rapid weaponization of this flaw underscores that build systems are now considered high-value, perimeter assets that require vigilant patching and robust segmentation from core production networks. Stay informed on such threats by following security news.

Further Reading

• All High Vulnerabilities
• Recent Critical Vulnerabilities
• Top Critical CVEs