CVE-2023-42793
published 2023-09-19CVE-2023-42793: In JetBrains TeamCity before 2023.05.4 authentication bypass leading to RCE on TeamCity Server was possible
PriorityP1100critical9.8CVSS 3.1
AVNACLPRNUINSUCHIHAH
KEVITWEXPLOITRansomwareInitial access
CISA Known Exploited Vulnerabilitydue 2023-10-25
Exploited in the wild
EPSS
99.98%
100.0th percentile
In JetBrains TeamCity before 2023.05.4 authentication bypass leading to RCE on TeamCity Server was possible
Affected
1 ranges
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| jetbrains | teamcity | < 2023.05.4 | 2023.05.4 |
Detection & IOCsextracted from sources · hover to see the quote
- →Monitor for unauthenticated authentication bypass attempts against TeamCity On-Premises servers (all versions prior to 2023.05.4); exploitation requires no user interaction and is low-complexity. ↗
- →Hunt for coordinated scanning/exploitation traffic against internet-exposed TeamCity servers; GreyNoise observed attacks from at least 56 distinct IP addresses in concerted exploitation campaigns. ↗
- →Alert on creation of new local admin accounts (especially 'krtbgt') on TeamCity servers post-exploitation, as used by Andariel for persistence. ↗
- →Detect DLL search order hijacking on TeamCity server processes as an indicator of FeedLoad loader deployment leading to RAT installation. ↗
- →Monitor for LSASS memory access/credential dumping activity on compromised TeamCity servers, used by both Lazarus and Andariel for lateral movement. ↗
- →Watch for deployment of proxy tools (HazyLoad) establishing persistent outbound C2 connections from TeamCity servers, indicative of Andariel post-exploitation. ↗
- →SVR/APT29 post-exploitation includes privilege escalation, lateral movement, and deployment of additional backdoors to establish long-term persistent access; monitor for anomalous C2 infrastructure originating from compromised software developer networks. ↗
- →Assess risk of malicious code injection into build pipelines post-compromise; attackers with build process access can trojanize software releases affecting all downstream users. ↗
- ·CVE-2023-42793 only affects TeamCity On-Premises installations (Windows, Linux, macOS, Docker); TeamCity Cloud was not impacted. ↗
- ·The fixed version is TeamCity 2023.05.4 (released September 21, 2023); organizations unable to upgrade immediately should use the dedicated security patch plugin for older versions. ↗
- ·Organizations that had not patched by September 29, 2023 should assume compromise and conduct incident response, as GreyNoise assessed high likelihood of breach by that date. ↗
- ·SVR assessed to still be in preparatory phase as of December 2023 advisory — not yet observed pivoting from compromised software developer networks to customer networks, but access enables hard-to-detect C2 infrastructure. ↗
CVSS provenance
nvdv3.19.8CRITICALCVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
vulncheck9.8CRITICAL
cisa9.8CRITICAL
CVEs like this are exactly what “Exploited This Week” covers.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
GHSA
GHSA-w796-2gq9-7jm8: In JetBrains TeamCity before 2023
ghsa_unreviewed·2023-09-19
CVE-2023-42793 [CRITICAL] CWE-288 GHSA-w796-2gq9-7jm8: In JetBrains TeamCity before 2023
In JetBrains TeamCity before 2023.05.4 authentication bypass leading to RCE on TeamCity Server was possible
VulnCheck
JetBrains TeamCity Authentication Bypass Vulnerability
vulncheck·2023·CVSS 9.8
CVE-2023-42793 [CRITICAL] CWE-288 JetBrains TeamCity Authentication Bypass Vulnerability
JetBrains TeamCity Authentication Bypass Vulnerability
JetBrains TeamCity contains an authentication bypass vulnerability that allows for remote code execution on TeamCity Server.
Affected: JetBrains TeamCity
Required Action: Apply mitigations per vendor instructions or discontinue use of the product if mitigations are unavailable.
Known Ransomware Campaign Use: Known
Exploitation References: https://x.com/PRODAFT/status/1708586257444430019; https://www.cisa.gov/sites/default/files/feeds/known_exploited_vulnerabilities.json; https://www.microsoft.com/en-us/security/blog/2023/10/18/multiple-north-korean-threat-actors-exploiting-the-teamcity-cve-2023-42793-vulnerability/; https://dashboard.shadowserver.org/statistics/honeypot/vulnerability/map/?day=2023-11-14&host_type=src&vulnerability
CISA
JetBrains TeamCity Authentication Bypass Vulnerability
cisa·2023-10-04·CVSS 9.8
CVE-2023-42793 [CRITICAL] CWE-288 JetBrains TeamCity Authentication Bypass Vulnerability
Vulnerability: JetBrains TeamCity Authentication Bypass Vulnerability
Affected: JetBrains TeamCity
JetBrains TeamCity contains an authentication bypass vulnerability that allows for remote code execution on TeamCity Server.
Required Action: Apply mitigations per vendor instructions or discontinue use of the product if mitigations are unavailable.
Notes: https://blog.jetbrains.com/teamcity/2023/09/critical-security-issue-affecting-teamcity-on-premises-update-to-2023-05-4-now/ ; https://nvd.nist.gov/vuln/detail/CVE-2023-42793
Remediation Due Date: 2023-10-25
Suricata
ET EXPLOIT JetBrains TeamCity Auth Bypass Successful Attempt (CVE-2023-42793)
suricata·2023-10-05·CVSS 9.8
CVE-2023-42793 [CRITICAL] ET EXPLOIT JetBrains TeamCity Auth Bypass Successful Attempt (CVE-2023-42793)
ET EXPLOIT JetBrains TeamCity Auth Bypass Successful Attempt (CVE-2023-42793)
Rule: alert http [$HTTP_SERVERS,$HOME_NET] any -> any any (msg:"ET EXPLOIT JetBrains TeamCity Auth Bypass Successful Attempt (CVE-2023-42793)"; flow:established,to_client; flowbits:isset,ET.CVE-2023-42793; http.response_body; content:"|3c|token|20|name|3d 22|"; fast_pattern; content:"creationTime|3d 22|"; content:"value|3d 22|"; reference:url,www.sonarsource.com/blog/teamcity-vulnerability/; reference:url,blog.jetbrains.com/teamcity/2023/09/critical-security-issue-affecting-teamcity-on-premises-update-to-2023-05-4-now/; reference:url,attackerkb.com/topics/1XEEEkGHzt/cve-2023-42793/rapid7-analysis; reference:cve,2023-42793; classtype:successful-admin; sid:2048461; rev:1; metadata:affected_product JetBrains_TeamCi
Suricata
ET EXPLOIT JetBrains TeamCity Auth Bypass Attempt (CVE-2023-42793)
suricata·2023-10-05·CVSS 9.8
CVE-2023-42793 [CRITICAL] ET EXPLOIT JetBrains TeamCity Auth Bypass Attempt (CVE-2023-42793)
ET EXPLOIT JetBrains TeamCity Auth Bypass Attempt (CVE-2023-42793)
Rule: alert http any any -> [$HTTP_SERVERS,$HOME_NET] any (msg:"ET EXPLOIT JetBrains TeamCity Auth Bypass Attempt (CVE-2023-42793)"; flow:established,to_server; flowbits:set,ET.CVE-2023-42793; http.method; content:"POST"; http.uri; content:"/app/rest/users/id|3a|"; startswith; fast_pattern; content:"/tokens/"; content:"/RPC2"; endswith; reference:url,www.sonarsource.com/blog/teamcity-vulnerability/; reference:url,blog.jetbrains.com/teamcity/2023/09/critical-security-issue-affecting-teamcity-on-premises-update-to-2023-05-4-now/; reference:url,attackerkb.com/topics/1XEEEkGHzt/cve-2023-42793/rapid7-analysis; reference:cve,2023-42793; classtype:attempted-admin; sid:2048460; rev:1; metadata:affected_product JetBrains_TeamCity,
Exploit-DB
JetBrains TeamCity 2023.05.3 - Remote Code Execution (RCE)
exploitdb·2024-03-14·CVSS 9.8
CVE-2023-42793 [CRITICAL] JetBrains TeamCity 2023.05.3 - Remote Code Execution (RCE)
JetBrains TeamCity 2023.05.3 - Remote Code Execution (RCE)
---
#- Exploit Title: JetBrains TeamCity 2023.05.3 - Remote Code Execution (RCE)
#- Shodan Dork: http.title:TeamCity , http.favicon.hash:-1944119648
#- Exploit Author: ByteHunter
#- Vendor: JetBrains
#- Email: [email protected]
#- vendor: JetBrains
#- Version: versions before 2023.05.4
#- Tested on: 2023.05.3
#- CVE : CVE-2023-42793
import requests
import argparse
import re
import random
import string
import subprocess
banner = """
* CVE-2023-42793 *
* TeamCity Admin Account Creation *
* *
* Author: ByteHunter *
"""
print(banner)
parser = argparse.ArgumentParser(description="CVE-2023-42793 - TeamCity JetBrains PoC")
parser.add_argument("-u", "--url", required=True, help="Target URL")
parser.add_argument("-v", "--verbose"
Nuclei
JetBrains TeamCity < 2023.05.4 - Remote Code Execution
nuclei·CVSS 9.8
CVE-2023-42793 [CRITICAL] JetBrains TeamCity < 2023.05.4 - Remote Code Execution
JetBrains TeamCity < 2023.05.4 - Remote Code Execution
In JetBrains TeamCity before 2023.05.4 authentication bypass leading to RCE on TeamCity Server was possible
Template:
id: CVE-2023-42793
info:
name: JetBrains TeamCity < 2023.05.4 - Remote Code Execution
author: iamnoooob,rootxharsh,pdresearch
severity: critical
description: |
In JetBrains TeamCity before 2023.05.4 authentication bypass leading to RCE on TeamCity Server was possible
impact: |
Unauthenticated attackers can bypass authentication by creating admin tokens to gain full administrative access to TeamCity Server, potentially executing arbitrary code and compromising the entire CI/CD infrastructure and source code.
remediation: |
Update JetBrains TeamCity to version 2023.05.4 or later that properly validates authentication
Metasploit
JetBrains TeamCity Unauthenticated Remote Code Execution
metasploit
JetBrains TeamCity Unauthenticated Remote Code Execution
JetBrains TeamCity Unauthenticated Remote Code Execution
This module exploits an authentication bypass vulnerability to achieve unauthenticated remote code execution against a vulnerable JetBrains TeamCity server. All versions of TeamCity prior to version 2023.05.4 are vulnerable to this issue. The vulnerability was originally discovered by SonarSource.
Tenable
Inside the customer environment: Where threat actors, vulnerabilities, and exposed assets intersect
blogs_tenable·2026-05-27
CVE-2023-4966 Inside the customer environment: Where threat actors, vulnerabilities, and exposed assets intersect
## Exposure Management
## Explore By Use Case
## Explore By Industry
## Tenable is the one clear leader in Exposure Management
## Exposure management
resource center
## Accelerate your exposure management strategy with practical resources and tools.
## Explore By Use Case
## Explore By Industry
## Tenable is the one clear leader in Exposure Management
## Exposure management
resource center
## Accelerate your exposure management strategy with practical resources and tools.
## Inside the customer environment: Where threat actors, vulnerabilities, and exposed assets intersect
Tenable Research has developed a graph-based model linking 600+ threat groups to real-world customer exposures. It reveals which vulnerabilities sit at the intersection of severity, active exploit
Wiz
What is APT29? | Wiz
blogs_wiz·2026-02-12
What is APT29? | Wiz
## What is APT29?
APT29 is a Russian state-sponsored advanced persistent threat (APT) group attributed to Russia's Foreign Intelligence Service (SVR) , conducting cyber espionage operations since at least 2008.
This group is widely assessed by Western intelligence agencies and private threat intelligence firms as a highly sophisticated nation-state threat that increasingly targets cloud environments, particularly identity systems and federated authentication infrastructure.
Unlike "smash and grab" cybercriminals, APT29 is characterized by extreme patience and operational discipline. They often maintain access to compromised networks for months or years (a concept known as dwell time) without triggering alarms.
While many threat actors focus on financial gain or disruption, APT29's prim
Wiz
What is APT29? | Wiz
blogs_wiz·2026-02-12
What is APT29? | Wiz
## What is APT29?
APT29 is a Russian state-sponsored advanced persistent threat (APT) group attributed to Russia's Foreign Intelligence Service (SVR), conducting cyber espionage operations since at least 2008.
This group is widely assessed by Western intelligence agencies and private threat intelligence firms as a highly sophisticated nation-state threat that increasingly targets cloud environments, particularly identity systems and federated authentication infrastructure.
Unlike "smash and grab" cybercriminals, APT29 is characterized by extreme patience and operational discipline. They often maintain access to compromised networks for months or years (a concept known as dwell time) without triggering alarms.
While many threat actors focus on financial gain or disruption, APT29's prima
Greynoiseio
GreyNoise Detects Active Exploitation of CVEs Mentioned in Black Basta’s Leaked Chat Logs
blogs_greynoiseio·2025-02-26·CVSS 9.8
[CRITICAL] GreyNoise Detects Active Exploitation of CVEs Mentioned in Black Basta’s Leaked Chat Logs
CVE Disclosure Early Warning Get an early warning when traffic spikes indicate a high likelihood of new disclosures
Compromised Asset Detection Find out immediately if an asset communicates with a malicious IP address
Vulnerability Prioritization Get real-time insight into active exploitation trends to better understand risk and severity
SOC Efficiency Filter out noisy, low priority and false-positive alerts from mass internet scanners
Incident Investigation Add context to incidents to speed the determinations of scope and timelines
Threat Hunting Quickly identify anomalous behavior and enrich your threat hunting campaigns
Why GreyNoise
CVE Disclosure Early Warning Get an early warning when traffic spikes indicate a high likelihood of new disclosures
Compromised Asset Detection Fin
Qualys
Defense Lessons From the Black Basta Ransomware Playbook
blogs_qualys·2025-02-25
Defense Lessons From the Black Basta Ransomware Playbook
## Table of Contents
Know Your Enemys Playbook
Attackers Move Fast
How Qualys Can Help
The cybersecurity world was rocked last week by a massive leak of Black Basta’s internal communications that emerged from the group’s chat logs. Triggered by internal conflicts and a retaliatory data dump following attacks on Russian banks, the exposed records offer a rare glimpse into Black Basta’s tactics, operations, and leadership.
We’ve analyzed these newly unveiled tactics, and in this blog, we equip security teams with clear, actionable insights. We aim to highlight the key lessons learned—like immediate patching, tighter access controls, and rapid incident response—and provide an urgent call to action. This practical guide aims to help organizations strengthen their defenses against evolving
Qualys
Defense Lessons From the Black Basta Ransomware Playbook | Qualys
blogs_qualys·2025-02-25
Defense Lessons From the Black Basta Ransomware Playbook | Qualys
#### Table of Contents
- Know Your Enemys Playbook
- Attackers Move Fast
- How Qualys Can Help
The cybersecurity world was rocked last week by a massive leak of Black Basta’s internal communications that emerged from the group’s chat logs. Triggered by internal conflicts and a retaliatory data dump following attacks on Russian banks, the exposed records offer a rare glimpse into Black Basta’s tactics, operations, and leadership.
We’ve analyzed these newly unveiled tactics, and in this blog, we equip security teams with clear, actionable insights. We aim to highlight the key lessons learned—like immediate patching, tighter access controls, and rapid incident response—and provide an urgent call to action. This practical guide aims to help organizations strengthen their defenses against ev
Bleepingcomputer
BadPilot network hacking campaign fuels Russian SandWorm attacks
blogs_bleepingcomputer·2025-02-12
BadPilot network hacking campaign fuels Russian SandWorm attacks
## BadPilot network hacking campaign fuels Russian SandWorm attacks
## Bill Toulas
A subgroup of the Russian state-sponsored hacking group APT44, also known as 'Seashell Blizzard' and 'Sandworm', has been targeting critical organizations and governments in a multi-year campaign dubbed 'BadPilot.'
The threat actor has been active since at least 2021 and is also responsible for breaching networks of organizations in energy, oil and gas, telecommunications, shipping, and arms manufacturing sectors.
Microsoft's Threat Intelligence team says that the actor is dedicated to achieving initial access to target systems, establishing persistence, and maintaining presence to allow other APT44 subgroups with post-compromise expertise to take over.
"We have also observed the initial access subgroup
Bleepingcomputer
FBI, CISA, and NSA reveal most exploited vulnerabilities of 2023
blogs_bleepingcomputer·2024-11-12·CVSS 10.0
[CRITICAL] FBI, CISA, and NSA reveal most exploited vulnerabilities of 2023
## FBI, CISA, and NSA reveal most exploited vulnerabilities of 2023
## Sergiu Gatlan
The FBI, the NSA, and Five Eyes cybersecurity authorities have released a list of the top 15 routinely exploited vulnerabilities throughout last year, most of them first abused as zero-days.
A joint advisory published on Tuesday calls for organizations worldwide to immediately patch these security flaws and deploy patch management systems to minimize their networks' exposure to potential attacks.
"In 2023, malicious cyber actors exploited more zero-day vulnerabilities to compromise enterprise networks compared to 2022, allowing them to conduct cyber operations against higher-priority targets," the cybersecurity agencies warned .
"In 2023, the majority of the most frequently exploited vulnerabilities
Greynoiseio
U.S. and UK Warn of Russian Cyber Threats: 9 of 12 GreyNoise-Tracked Vulnerabilities in the Advisory Are Being Probed Right Now
blogs_greynoiseio·2024-10-17
U.S. and UK Warn of Russian Cyber Threats: 9 of 12 GreyNoise-Tracked Vulnerabilities in the Advisory Are Being Probed Right Now
CVE Disclosure Early Warning Get an early warning when traffic spikes indicate a high likelihood of new disclosures
Compromised Asset Detection Find out immediately if an asset communicates with a malicious IP address
Vulnerability Prioritization Get real-time insight into active exploitation trends to better understand risk and severity
SOC Efficiency Filter out noisy, low priority and false-positive alerts from mass internet scanners
Incident Investigation Add context to incidents to speed the determinations of scope and timelines
Threat Hunting Quickly identify anomalous behavior and enrich your threat hunting campaigns
Why GreyNoise
CVE Disclosure Early Warning Get an early warning when traffic spikes indicate a high likelihood of new disclosures
Compromised Asset Detection Fin
Bleepingcomputer
US, UK warn of Russian APT29 hackers targeting Zimbra, TeamCity servers
blogs_bleepingcomputer·2024-10-10·CVSS 7.5
[HIGH] US, UK warn of Russian APT29 hackers targeting Zimbra, TeamCity servers
## US, UK warn of Russian APT29 hackers targeting Zimbra, TeamCity servers
## Sergiu Gatlan
U.S. and U.K. cyber agencies warned today that APT29 hackers linked to Russia's Foreign Intelligence Service (SVR) target vulnerable Zimbra and JetBrains TeamCity servers "at a mass scale."
A joint advisory issued by the NSA, the FBI, the U.S. Cyber Command's Cyber National Mission Force (CNMF), and the U.K.'s NCSC warns network defenders to patch exposed servers to block these ongoing attacks.
The four cyber agencies said the hacking group targets unpatched Zimbra and TeamCity servers exposed online "at a mass scale to target victims worldwide across a variety of sectors " using CVE-2022-27924 and CVE-2023-42793 exploits.
CVE-2022-27924 has been exploited since at least August 2022 to steal em
Tenable
CVE-2024-27198, CVE-2024-27199: Two Authentication Bypass Vulnerabilities in JetBrains TeamCity
blogs_tenable·2024-03-06·CVSS 9.8
[CRITICAL] CVE-2024-27198, CVE-2024-27199: Two Authentication Bypass Vulnerabilities in JetBrains TeamCity
## Cloud Exposure
Tenable Cloud Security (CNAPP) Request a demo
Tenable Cloud Vulnerability Management Request a demo
Tenable CIEM Request a demo
Secure your cloud
## Vulnerability Exposure
Tenable Vulnerability Management Try for free
Tenable Security Center Request a demo
Tenable Web App Scanning Try for free
Tenable Patch Management Request a demo
Tenable Enclave Security Request a demo
Tenable Attack Surface Management Request a demo
Tenable Nessus Try for free
## AI Exposure
Tenable AI Exposure Request a demo
## OT/IoT Exposure
Tenable OT Security Request a demo
## Identity Exposure
Tenable Identity Exposure Request a demo
## Business needs
Active Directory
AI Security Posture Management (AI-SPM)
AWS security
Azure security
Cloud Security Posture Man
Bleepingcomputer
JetBrains warns of new TeamCity auth bypass vulnerability
blogs_bleepingcomputer·2024-02-06·CVSS 9.8
CVE-2024-23917 [CRITICAL] JetBrains warns of new TeamCity auth bypass vulnerability
## JetBrains warns of new TeamCity auth bypass vulnerability
## Sergiu Gatlan
JetBrains urged customers today to patch their TeamCity On-Premises servers against a critical authentication bypass vulnerability that can let attackers take over vulnerable instances with admin privileges.
Tracked as CVE-2024-23917 , this critical severity flaw impacts all versions of TeamCity On-Premises from 2017.1 through 2023.11.2 and can be exploited in remote code execution (RCE) attacks that don't require user interaction.
"We strongly advise all TeamCity On-Premises users to update their servers to 2023.11.3 to eliminate the vulnerability," JetBrains said .
"If your server is publicly accessible over the internet and you are unable to take one of the above mitigation steps immediately, we recommend
Wiz
Crying Out Cloud - January Newsletter | Wiz
blogs_wiz·2024-01-01·CVSS 8.8
CVE-2023-26360 [HIGH] Crying Out Cloud - January Newsletter | Wiz
This month we’ve seen several vulnerabilities and security incidents that have left users affected. We know you're busy too, so we've sifted through the noise to bring you the real game-changers.
Here are our top picks!
## 🐞 High Profile Vulnerabilities
Adobe ColdFusion RCE vulnerability exploited in-the-wild
CVE-2023-26360 is a critical vulnerability in Adobe ColdFusion that was published in March 2023. This vulnerability could allow an attacker to execute arbitrary code on the remote server in the context of the current user. On December 5, 2023, CISA announced that threat actors were actively exploiting this vulnerability in order to gain initial access to government-owned servers. Customers should update Adobe ColdFusion to the latest version.
According to Wiz data, less than 1% o
Fortinet
Bandook - A Persistent Threat That Keeps Evolving | FortiGuard Labs
blogs_fortinet·2023-12-21
Bandook - A Persistent Threat That Keeps Evolving | FortiGuard Labs
FORTIGUARD LABS THREAT RESEARCH
Bandook - A Persistent Threat That Keeps Evolving
Injector
Payload
GUM Control Code
ACG Control Code
C2 Communication
Conclusion
Fortinet Protections
IOCs
IPs
Files
By Pei Han Liao | December 21, 2023
Affected Platforms: Microsoft Windows
Impacted Users: Microsoft Windows
Impact: Remote attackers gain control of the infected systems
Severity Level: Critical
Bandook malware is a remote access trojan that has been continuously developed since it was first detected in 2007. It has been used in various campaigns by different threat actors over the years. FortiGuard Labs identified a new Bandook variant being distributed via a PDF file this past October. This PDF file contains a shortened URL that downloads a password-protected .7z file. After the victim extra
Tenable
Cybersecurity Snapshot: Want to Deploy AI Securely? New Industry Group Will Compile AI Safety Best Practices
blogs_tenable·2023-12-15
Cybersecurity Snapshot: Want to Deploy AI Securely? New Industry Group Will Compile AI Safety Best Practices
## Cloud Exposure
Tenable Cloud Security (CNAPP) Request a demo
Tenable Cloud Vulnerability Management Request a demo
Tenable CIEM Request a demo
Secure your cloud
## Vulnerability Exposure
Tenable Vulnerability Management Try for free
Tenable Security Center Request a demo
Tenable Web App Scanning Try for free
Tenable Patch Management Request a demo
Tenable Enclave Security Request a demo
Tenable Attack Surface Management Request a demo
Tenable Nessus Try for free
## AI Exposure
Tenable AI Exposure Request a demo
## OT/IoT Exposure
Tenable OT Security Request a demo
## Identity Exposure
Tenable Identity Exposure Request a demo
## Business needs
Active Directory
AI Security Posture Management (AI-SPM)
AWS security
Azure security
Cloud Security Posture Man
Bleepingcomputer
CISA: Russian hackers target TeamCity servers since September
blogs_bleepingcomputer·2023-12-13·CVSS 9.8
[CRITICAL] CISA: Russian hackers target TeamCity servers since September
## CISA: Russian hackers target TeamCity servers since September
## Sergiu Gatlan
CISA and partner cybersecurity agencies and intelligence services warned that the APT29 hacking group linked to Russia's Foreign Intelligence Service (SVR) has been targeting unpatched TeamCity servers in widespread attacks since September 2023.
APT29 is known for breaching several U.S. federal agencies following the SolarWinds supply-chain attack they orchestrated three years ago.
They also targeted the Microsoft 365 accounts of multiple entities within NATO countries as part of their efforts to access foreign policy-related information and were linked to a series of phishing campaigns aimed at governments, embassies, and high-ranking officials across Europe.
The TeamCity security flaw they're exploitin
Bleepingcomputer
North Korean hackers exploit critical TeamCity flaw to breach networks
blogs_bleepingcomputer·2023-10-18·CVSS 9.8
CVE-2023-42793 [CRITICAL] North Korean hackers exploit critical TeamCity flaw to breach networks
## North Korean hackers exploit critical TeamCity flaw to breach networks
## Lawrence Abrams
While TeamCity quickly fixed the vulnerability, threat actors, such as ransomware gangs, began to exploit the flaw to breach corporate networks .
## North Korean hackers exploit TeamCity
In a new report, Microsoft's Threat intelligence team says that the Lazarus (aka Diamond Sleet and ZINC) and Andariel (aka Onyx Sleet and PLUTONIUM) hacking groups have been observed exploiting CVE-2023-42793 to breach TeamCity servers.
While Microsoft has not said the ultimate goal of these attacks, they believe it could be to conduct software supply chain attacks.
"In past operations, Diamond Sleet and other North Korean threat actors have successfully carried out software supply chain attacks by infiltrati
Microsoft
Multiple North Korean threat actors exploiting the TeamCity CVE-2023-42793 vulnerability
blogs_microsoft·2023-10-18·CVSS 9.8
[CRITICAL] Multiple North Korean threat actors exploiting the TeamCity CVE-2023-42793 vulnerability
Research
October 18, 2023
As with any observed nation-state actor activity, Microsoft directly notifies customers that have been targeted or compromised and provides them with the information they need to secure their environments.
## Who are Diamond Sleet and Onyx Sleet?
Diamond Sleet (ZINC) is a North Korean nation-state threat actor that prioritizes espionage, data theft, financial gain, and network destruction. The actor typically targets media, IT services, and defense-related entities around the world. Microsoft reported on Diamond Sleet’s targeting of security researchers in January 2021 and the actor’s weaponizing of open-source software in September 2022. In August 2023, Diamond Sleet conducted a software supply chain compromise of a German software provider.
Onyx Sleet (PL
Bleepingcomputer
Ransomware gangs now exploiting critical TeamCity RCE flaw
blogs_bleepingcomputer·2023-10-02·CVSS 9.8
CVE-2023-42793 [CRITICAL] Ransomware gangs now exploiting critical TeamCity RCE flaw
## Ransomware gangs now exploiting critical TeamCity RCE flaw
## Sergiu Gatlan
Ransomware gangs are now targeting a recently patched critical vulnerability in JetBrains' TeamCity continuous integration and deployment server.
The flaw (tracked as CVE-2023-42793 and tagged with a 9.8/10 severity score) allows unauthenticated attackers to gain remote code execution (RCE) after successfully exploiting an authentication bypass weakness in low-complexity attacks that don't require user interaction.
Swiss security firm Sonar (whose researchers discovered and reported the vulnerability) published full technical details one week after JetBrains addressed the critical security issue with the release of TeamCity 2023.05.4 on September 21st.
JetBrains says the flaw impacts all TeamCity versions p
Greynoiseio
Storm Watch
blogs_greynoiseio
Storm Watch
CVE Disclosure Early Warning Get an early warning when traffic spikes indicate a high likelihood of new disclosures
Compromised Asset Detection Find out immediately if an asset communicates with a malicious IP address
Vulnerability Prioritization Get real-time insight into active exploitation trends to better understand risk and severity
SOC Efficiency Filter out noisy, low priority and false-positive alerts from mass internet scanners
Incident Investigation Add context to incidents to speed the determinations of scope and timelines
Threat Hunting Quickly identify anomalous behavior and enrich your threat hunting campaigns
Why GreyNoise
CVE Disclosure Early Warning Get an early warning when traffic spikes indicate a high likelihood of new disclosures
Compromised Asset Detection Fin
arXiv
ZeroDayBench: Evaluating LLM Agents on Unseen Zero-Day Vulnerabilities for Cyberdefense
arxiv_fulltext·2026-03-02
ZeroDayBench: Evaluating LLM Agents on Unseen Zero-Day Vulnerabilities for Cyberdefense
## Abstract
Large language models (LLMs) are increasingly being deployed as software engineering agents that autonomously contribute to repositories. A major benefit these agents present is their ability to find and patch security vulnerabilities in the codebases they oversee. To estimate the capability of agents in this domain, we introduce ZeroDayBench, a benchmark where LLM agents find and patch 22 novel critical vulnerabilities in open-source codebases. We focus our efforts on three popular frontier agentic LLMs: GPT-5.2, Claude Sonnet 4.5, and Grok 4.1. We find that frontier LLMs are not yet capable of autonomously solving our tasks and observe some behavioral patterns that suggest how these models can be improved in the domain of proactive cyberdefense.
## Introduction
Large langu
arXiv
AEAS: Actionable Exploit Assessment System
arxiv_fulltext·2025-09-22
AEAS: Actionable Exploit Assessment System
: Actionable Exploit Assessment System
Xiangmin Shen1,
Wenyuan Cheng2,
Yan Chen3,
Zhenyuan Li2,
Yuqiao Gu2,
Lingzhi Wang3,
Wencheng Zhao4,
Dawei Sun4 and
Jiashui Wang2
1Hofstra University, 2Zhejiang University, 3Northwestern University, 4Ant Group
## Abstract
Security practitioners face growing challenges in exploit assessment, as public vulnerability repositories are increasingly populated with inconsistent and low-quality exploit artifacts. Existing scoring systems such as CVSS and EPSS offer limited support for this task. They either rely on theoretical metrics or produce opaque probability estimates without assessing whether usable exploit code exists. In practice, security teams often resort to manual triage of exploit repositories, which is time-consuming, error-prone, and diffic
arXiv
Efficacy of EPSS in High Severity CVEs found in KEV
arxiv_fulltext·2024-11-04
Efficacy of EPSS in High Severity CVEs found in KEV
empty
empty
24pt
10pt plus 1.0pt minus 2.0pt
## Abstract
The Exploit Prediction Scoring System (EPSS) is designed to assess the probability of a vulnerability being exploited in the next 30 days relative to other vulnerabilities. The latest version, based on a research paper published in arXiv , assists defenders in deciding which vulnerabilities to prioritize for remediation. This study evaluates EPSS's ability to predict exploitation before vulnerabilities are actively compromised, focusing on high severity CVEs that are known to have been exploited and included in the CISA KEV catalog. By analyzing EPSS score history, the availability and simplicity of exploits, the system's purpose, its value as a target for Threat Actors (TAs), this paper examines EPSS's potential and identifies ar
arXiv
AutoPT: How Far Are We from the End2End Automated Web Penetration Testing?
arxiv_fulltext·2024-11-02
AutoPT: How Far Are We from the End2End Automated Web Penetration Testing?
AutoPT: How Far Are We from the End2End Automated Web Penetration Testing?
Benlong Wu
University of Science and Technology of China
HeFei
China
[email protected]
Guoqiang Chen
QI-ANXIN Technology Research Institute
BeiJing
China
[email protected]
Kejiang Chen
Corresponding author
University of Science and Technology of China
HeFei
China
[email protected]
Xiuwei Shang
University of Science and Technology of China
HeFei
China
[email protected]
Jiapeng Han
Chaitin Future Technology Co., Ltd
HangZhou
China
[email protected]
Yanru He
University of Science and Technology of China
HeFei
China
[email protected]
Weiming Zhang
University of Science and Technology of China
HeFei
China
[email protected]
Nenghai Yu
University of Science and Technol
http://packetstormsecurity.com/files/174860/JetBrains-TeamCity-Unauthenticated-Remote-Code-Execution.htmlhttps://attackerkb.com/topics/1XEEEkGHzt/cve-2023-42793https://blog.jetbrains.com/teamcity/2023/09/cve-2023-42793-vulnerability-post-mortem/https://www.jetbrains.com/privacy-security/issues-fixed/https://www.rapid7.com/blog/post/2023/09/25/etr-cve-2023-42793-critical-authentication-bypass-in-jetbrains-teamcity-ci-cd-servers/https://www.securityweek.com/recently-patched-teamcity-vulnerability-exploited-to-hack-servers/https://www.sonarsource.com/blog/teamcity-vulnerability/http://packetstormsecurity.com/files/174860/JetBrains-TeamCity-Unauthenticated-Remote-Code-Execution.htmlhttps://attackerkb.com/topics/1XEEEkGHzt/cve-2023-42793https://blog.jetbrains.com/teamcity/2023/09/cve-2023-42793-vulnerability-post-mortem/https://www.jetbrains.com/privacy-security/issues-fixed/https://www.rapid7.com/blog/post/2023/09/25/etr-cve-2023-42793-critical-authentication-bypass-in-jetbrains-teamcity-ci-cd-servers/https://www.securityweek.com/recently-patched-teamcity-vulnerability-exploited-to-hack-servers/https://www.cisa.gov/known-exploited-vulnerabilities-catalog?field_cve=CVE-2023-42793
2023-09-19
Published
2023-10-04
Added to CISA KEV
Exploited in the wild