Keypoints
- JetBrains patched two authentication bypass vulnerabilities affecting TeamCity On-Premises versions before 2023.11.4 (CVE-2024-27198 critical, CVE-2024-27199 high).
- CVE-2024-27198 allows unauthenticated attackers to craft URLs that bypass authentication checks; CVE-2024-27199 enables limited unauthenticated access via a path traversal issue.
- Exploitation attempts were observed on Cyble Global Sensor Intelligence (CGSI) starting March 5, 2024, using crafted URLs with query strings and path parameters to reach authenticated endpoints.
- Common abused paths include /res/, /update/, and /.well-known/acme-challenge/, which can be leveraged to reach endpoints like /app/https/settings/uploadCertificate and /app/rest/server.
- Cyble’s scans found 1,780 internet-exposed TeamCity instances, and underground forums showed compromised TeamCity access being sold.
- Mitigations: update to TeamCity 2023.11.4 (or use automatic update/security patch plugin), minimize internet exposure, monitor TeamCity logs, and perform regular audits and pentests.
MITRE Techniques
- [T1190] Exploit Public-Facing Application – Attackers bypass authentication by crafting URLs to access restricted endpoints (‘An unauthenticated attacker can craft a URL, bypassing authentication checks, which provides them with access to restricted endpoints.’)
- [T1210] Exploitation of Remote Services – Remote web component flaws are abused via alternative path issues and path traversal to reach authenticated server APIs (‘An authentication bypass vulnerability in the web component … stems from an alternative path issue.’)
- [T1068] Exploitation for Privilege Escalation – Exploitation of the bypass can lead to unauthorized modification of system configuration or disclosure of sensitive data (‘could potentially escalate privileges and gain unauthorized access to sensitive information or modify system configurations on the server.’)
- [T1071] Application Layer Protocol – HTTP query strings and path parameters are used to carry exploit payloads and reach target endpoints (‘an attacker is attempting to access an authenticated endpoint /app/rest/server by requesting a non-existent resource /hax, appending an HTTP query string ?jsp=/app/rest/server … and appending an HTTP path parameter segment ;.jsp.’)
- [T1588] Obtain Capabilities – Public proof-of-concept and exploit code were rapidly weaponized by threat actors after disclosure (‘Threat actors attempting to exploit vulnerabilities within 24-48 hours of its public disclosure indicates weaponizing publicly available proof-of-concepts, and exploits.’)
- [T1105] Ingress Tool Transfer – Compromised TeamCity access and tools are traded/sold in underground forums (‘vulnerabilities within TeamCity JetBrains have begun to show indications of exploitation and their compromised access sale by IABs in the underground.’)
- [T1199] Trusted Relationship – Compromise of CI/CD servers risks pivoting via trusted relationships to other internal systems (‘the exploitation of these vulnerabilities and the potential compromise of TeamCity servers could lead to further attacks that exploit trusted relationships between the CI/CD server and other systems’)
Indicators of Compromise
- [IP Address] Exploitation attempts observed – 143[.]198[.]150[.]42, 170[.]64[.]155[.]123, and 9 more items (other observed exploit source IPs).
- [CVE Identifier] Affected vulnerabilities – CVE-2024-27198, CVE-2024-27199.
- [HTTP paths/endpoints] Exploit request patterns and targeted endpoints – example exploit: /hax?jsp=/app/rest/server;.jsp; targeted endpoints include /app/https/settings/uploadCertificate and /app/rest/server, and other listed endpoints.
Two authentication bypass vulnerabilities were disclosed in TeamCity On-Premises (affecting versions before 2023.11.4): CVE-2024-27198 (alternative-path authentication bypass in the web component) and CVE-2024-27199 (path traversal allowing limited access to authenticated endpoints). Attackers can exploit several public paths—/res/, /update/, and /.well-known/acme-challenge/—to traverse into internal endpoints such as /app/availableRunners, /app/https/settings/uploadCertificate, /app/pipeline, and /app/oauth/space/createBuild.html; successful misuse can modify server configuration or disclose sensitive data.
Observed exploitation involves crafting non-existent resource requests combined with query strings and path-parameter tricks to force the server to resolve internal endpoints. For example, CGSI captured requests that requested /hax with ?jsp=/app/rest/server and appended the path parameter segment ;.jsp to ensure the URI ends with .jsp, thereby reaching the authenticated /app/rest/server endpoint. Public proof-of-concept code and rapid weaponization led to active exploitation beginning March 5, 2024, and underground postings indicate compromised access is being sold.
Mitigation steps: apply TeamCity 2023.11.4 or use the built-in automatic update/security patch plugin immediately; restrict TeamCity’s network exposure (remove public access or segment it); monitor TeamCity logs (Windows: C:TeamCitylogs, Linux: /opt/TeamCity/logs/) for suspicious requests matching the query-string/path-parameter patterns; and perform vulnerability scanning and penetration tests to confirm remediations. Monitor the listed IP indicators and related exploit patterns while validating that public-facing paths are properly secured or blocked.