cbcvebase.
CVE-2023-42793
published 2023-09-19

CVE-2023-42793: In JetBrains TeamCity before 2023.05.4 authentication bypass leading to RCE on TeamCity Server was possible

PriorityP1100critical9.8CVSS 3.1
AVNACLPRNUINSUCHIHAH
KEVITWEXPLOITRansomwareInitial access
CISA Known Exploited Vulnerabilitydue 2023-10-25
Exploited in the wild
EPSS
99.98%
100.0th percentile
In JetBrains TeamCity before 2023.05.4 authentication bypass leading to RCE on TeamCity Server was possible

Affected

1 ranges
VendorProductVersion rangeFixed in
jetbrainsteamcity< 2023.05.42023.05.4

Detection & IOCsextracted from sources · hover to see the quote

otherkrtbgt (admin account created by Andariel on breached servers)
otherForestTiger malware (backdoor deployed by Lazarus/Diamond Sleet)
otherFeedLoad malware loader (DLL search order hijacking, installs RAT)
otherHazyLoad proxy tool (persistent C2 connection deployed by Andariel)
processLSASS credential dumping
  • Monitor for unauthenticated authentication bypass attempts against TeamCity On-Premises servers (all versions prior to 2023.05.4); exploitation requires no user interaction and is low-complexity.
  • Hunt for coordinated scanning/exploitation traffic against internet-exposed TeamCity servers; GreyNoise observed attacks from at least 56 distinct IP addresses in concerted exploitation campaigns.
  • Alert on creation of new local admin accounts (especially 'krtbgt') on TeamCity servers post-exploitation, as used by Andariel for persistence.
  • Detect DLL search order hijacking on TeamCity server processes as an indicator of FeedLoad loader deployment leading to RAT installation.
  • Monitor for LSASS memory access/credential dumping activity on compromised TeamCity servers, used by both Lazarus and Andariel for lateral movement.
  • Watch for deployment of proxy tools (HazyLoad) establishing persistent outbound C2 connections from TeamCity servers, indicative of Andariel post-exploitation.
  • SVR/APT29 post-exploitation includes privilege escalation, lateral movement, and deployment of additional backdoors to establish long-term persistent access; monitor for anomalous C2 infrastructure originating from compromised software developer networks.
  • Assess risk of malicious code injection into build pipelines post-compromise; attackers with build process access can trojanize software releases affecting all downstream users.
  • ·CVE-2023-42793 only affects TeamCity On-Premises installations (Windows, Linux, macOS, Docker); TeamCity Cloud was not impacted.
  • ·The fixed version is TeamCity 2023.05.4 (released September 21, 2023); organizations unable to upgrade immediately should use the dedicated security patch plugin for older versions.
  • ·Organizations that had not patched by September 29, 2023 should assume compromise and conduct incident response, as GreyNoise assessed high likelihood of breach by that date.
  • ·SVR assessed to still be in preparatory phase as of December 2023 advisory — not yet observed pivoting from compromised software developer networks to customer networks, but access enables hard-to-detect C2 infrastructure.

CVSS provenance

nvdv3.19.8CRITICALCVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
vulncheck9.8CRITICAL
cisa9.8CRITICAL
CVEs like this are exactly what “Exploited This Week” covers.

Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.