CVE-2024-27198
published 2024-03-04CVE-2024-27198: In JetBrains TeamCity before 2023.11.4 authentication bypass allowing to perform admin actions was possible
PriorityP1100critical9.8CVSS 3.1
AVNACLPRNUINSUCHIHAH
KEVITWEXPLOITRansomwareInitial access
CISA Known Exploited Vulnerabilitydue 2024-03-28
Exploited in the wild
EPSS
99.94%
100.0th percentile
In JetBrains TeamCity before 2023.11.4 authentication bypass allowing to perform admin actions was possible
Affected
1 ranges
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| jetbrains | teamcity | < 2023.11.4 | 2023.11.4 |
Detection & IOCsextracted from sources · hover to see the quote
path/res/../admin/diagnostic.jsp
path/.well-known/acme-challenge/../../admin/diagnostic.jsp
path/update/../admin/diagnostic.jsp
yara
nuclei template id: CVE-2024-27199 — matchers: status_code==200, contains(header,'text/html'), contains_all(body,'Debug Logging','CPU & Memory Usage')
- →Look for unauthenticated GET requests to path-traversal variants of /admin/diagnostic.jsp (e.g. /res/../admin/diagnostic.jsp, /update/../admin/diagnostic.jsp, /.well-known/acme-challenge/../../admin/diagnostic.jsp) in TeamCity web server logs — these are the canonical exploit paths for CVE-2024-27198/CVE-2024-27199.
- →Responses to exploit attempts return HTTP 200 with Content-Type text/html and body containing both 'Debug Logging' and 'CPU & Memory Usage' strings — alert on this combination from unauthenticated sessions.
- →Exploitation of CVE-2024-27198 involves crafting a URL with specific parameters to call authenticated endpoints without authentication — monitor for anomalous unauthenticated requests to admin/API endpoints in TeamCity access logs. ↗
- →The root cause class is jetbrains.buildServer.controllers.BaseController — monitor for unexpected controller invocations or errors referencing this class in TeamCity application logs. ↗
- →Exploitation activity for CVE-2024-27198 was first observed around Mar 4th 22:00 UTC — use this timestamp as a baseline for retrospective log analysis on TeamCity servers. ↗
- →Use Shodan query 'http.component:"TeamCity"' to identify internet-exposed TeamCity instances for asset discovery and attack surface reduction.
- →CVE-2024-27199 bypass paths include /res/, /update/, and /app/https/settings/uploadCertificate — monitor unauthenticated access to these paths as indicators of exploitation. ↗
- ·TeamCity Cloud instances were automatically patched by JetBrains and are not affected; these indicators apply only to on-premises TeamCity installations running versions through 2023.11.3. ↗
- ·The Nuclei template provided targets CVE-2024-27199 (path traversal, CVSS 7.3) via /admin/diagnostic.jsp paths, not the more critical CVE-2024-27198 (CVSS 9.8) authentication bypass — ensure detection coverage addresses both CVEs separately.
CVSS provenance
nvdv3.19.8CRITICALCVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
vulncheck9.8CRITICAL
cisa9.8CRITICAL
CVEs like this are exactly what “Exploited This Week” covers.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
GHSA
GHSA-xh94-49wq-7h2h: In JetBrains TeamCity before 2023
ghsa_unreviewed·2024-03-04
CVE-2024-27198 [CRITICAL] CWE-288 GHSA-xh94-49wq-7h2h: In JetBrains TeamCity before 2023
In JetBrains TeamCity before 2023.11.4 authentication bypass allowing to perform admin actions was possible
VulnCheck
JetBrains TeamCity Authentication Bypass Vulnerability
vulncheck·2024·CVSS 9.8
CVE-2024-27198 [CRITICAL] CWE-288 JetBrains TeamCity Authentication Bypass Vulnerability
JetBrains TeamCity Authentication Bypass Vulnerability
JetBrains TeamCity contains an authentication bypass vulnerability that allows an attacker to perform admin actions.
Affected: JetBrains TeamCity
Required Action: Apply mitigations per vendor instructions or discontinue use of the product if mitigations are unavailable.
Known Ransomware Campaign Use: Known
Exploitation References: https://attackerkb.com/topics/K3wddwP3IJ/cve-2024-27198#exploited-in-the-wild_e28f53e6-cf6f-4b91-89be-6cb19dfd4315; https://dashboard.shadowserver.org/statistics/honeypot/vulnerability/map/?day=2024-03-05&host_type=src&vulnerability=cve-2024-27198; https://twitter.com/Shadowserver/status/1764960110659478012; https://dashboard.shadowserver.org/statistics/honeypot/vulnerability/map/?day=2024-03-06&host_typ
VulnCheck
JetBrains TeamCity Authentication Bypass Vulnerability
vulncheck·2023·CVSS 9.8
CVE-2023-42793 [CRITICAL] CWE-288 JetBrains TeamCity Authentication Bypass Vulnerability
JetBrains TeamCity Authentication Bypass Vulnerability
JetBrains TeamCity contains an authentication bypass vulnerability that allows for remote code execution on TeamCity Server.
Affected: JetBrains TeamCity
Required Action: Apply mitigations per vendor instructions or discontinue use of the product if mitigations are unavailable.
Known Ransomware Campaign Use: Known
Exploitation References: https://x.com/PRODAFT/status/1708586257444430019; https://www.cisa.gov/sites/default/files/feeds/known_exploited_vulnerabilities.json; https://www.microsoft.com/en-us/security/blog/2023/10/18/multiple-north-korean-threat-actors-exploiting-the-teamcity-cve-2023-42793-vulnerability/; https://dashboard.shadowserver.org/statistics/honeypot/vulnerability/map/?day=2023-11-14&host_type=src&vulnerability
CISA
JetBrains TeamCity Relative Path Traversal Vulnerability
cisa·2026-04-20·CVSS 7.3
CVE-2024-27199 [HIGH] CWE-23 JetBrains TeamCity Relative Path Traversal Vulnerability
Vulnerability: JetBrains TeamCity Relative Path Traversal Vulnerability
Affected: JetBrains TeamCity
JetBrains TeamCity contains a relative path traversal vulnerability that could allow limited admin actions to be performed.
Required Action: Apply mitigations per vendor instructions, follow applicable BOD 22-01 guidance for cloud services, or discontinue use of the product if mitigations are unavailable.
Notes: https://www.jetbrains.com/privacy-security/issues-fixed/ ; https://blog.jetbrains.com/teamcity/2024/03/additional-critical-security-issues-affecting-teamcity-on-premises-cve-2024-27198-and-cve-2024-27199-update-to-2023-11-4-now/ ; https://nvd.nist.gov/vuln/detail/CVE-2024-27199
Remediation Due Date: 2026-05-04
CISA
JetBrains TeamCity Authentication Bypass Vulnerability
cisa·2024-03-07·CVSS 9.8
CVE-2024-27198 [CRITICAL] CWE-288 JetBrains TeamCity Authentication Bypass Vulnerability
Vulnerability: JetBrains TeamCity Authentication Bypass Vulnerability
Affected: JetBrains TeamCity
JetBrains TeamCity contains an authentication bypass vulnerability that allows an attacker to perform admin actions.
Required Action: Apply mitigations per vendor instructions or discontinue use of the product if mitigations are unavailable.
Notes: https://www.jetbrains.com/help/teamcity/teamcity-2023-11-4-release-notes.html; https://nvd.nist.gov/vuln/detail/CVE-2024-27198
Remediation Due Date: 2024-03-28
Suricata
ET WEB_SPECIFIC_APPS JetBrains TeamCity Authentication Bypass Attempt (CVE-2024-27198) - Auth Token Creation Attempt
suricata·2024-03-06·CVSS 9.8
CVE-2024-27198 [CRITICAL] ET WEB_SPECIFIC_APPS JetBrains TeamCity Authentication Bypass Attempt (CVE-2024-27198) - Auth Token Creation Attempt
ET WEB_SPECIFIC_APPS JetBrains TeamCity Authentication Bypass Attempt (CVE-2024-27198) - Auth Token Creation Attempt
Rule: alert http any any -> $HOME_NET any (msg:"ET WEB_SPECIFIC_APPS JetBrains TeamCity Authentication Bypass Attempt (CVE-2024-27198) - Auth Token Creation Attempt"; flow:established,to_server; http.method; content:"POST"; http.uri; content:"jsp|3d|/app/rest/users/id|3a|"; fast_pattern; content:"/tokens/"; within:12; content:"|3b|"; within:30; content:".jsp"; within:30; reference:cve,2024-27198; reference:url,www.rapid7.com/blog/post/2024/03/04/etr-cve-2024-27198-and-cve-2024-27199-jetbrains-teamcity-multiple-authentication-bypass-vulnerabilities-fixed/; classtype:attempted-admin; sid:2051507; rev:2; metadata:affected_product JetBrains_TeamCity, created_at 2024_03_06, cve
Suricata
ET WEB_SPECIFIC_APPS JetBrains TeamCity Authentication Bypass Attempt (CVE-2024-27199) M2
suricata·2024-03-06·CVSS 7.3
CVE-2024-27199 [HIGH] ET WEB_SPECIFIC_APPS JetBrains TeamCity Authentication Bypass Attempt (CVE-2024-27199) M2
ET WEB_SPECIFIC_APPS JetBrains TeamCity Authentication Bypass Attempt (CVE-2024-27199) M2
Rule: alert http any any -> $HOME_NET any (msg:"ET WEB_SPECIFIC_APPS JetBrains TeamCity Authentication Bypass Attempt (CVE-2024-27199) M2"; flow:established,to_server; http.method; pcre:"/^(GE|POS)T$/"; http.uri; pcre:"/^\x2f(res|update|\x2ewell-known\x2facme-challenge)\x2f/"; content:"|2e 2e|"; content:"/app/https/settings/"; fast_pattern; distance:0; reference:cve,2024-27199; reference:url,www.rapid7.com/blog/post/2024/03/04/etr-cve-2024-27198-and-cve-2024-27199-jetbrains-teamcity-multiple-authentication-bypass-vulnerabilities-fixed/; classtype:bad-unknown; sid:2051510; rev:2; metadata:affected_product JetBrains_TeamCity, created_at 2024_03_06, cve CVE_2024_27199, deployment Perimeter, deployment I
Suricata
ET WEB_SPECIFIC_APPS JetBrains TeamCity Authentication Bypass Attempt (CVE-2024-27198) - Vulnerability Check
suricata·2024-03-06·CVSS 9.8
CVE-2024-27198 [CRITICAL] ET WEB_SPECIFIC_APPS JetBrains TeamCity Authentication Bypass Attempt (CVE-2024-27198) - Vulnerability Check
ET WEB_SPECIFIC_APPS JetBrains TeamCity Authentication Bypass Attempt (CVE-2024-27198) - Vulnerability Check
Rule: alert http any any -> $HOME_NET any (msg:"ET WEB_SPECIFIC_APPS JetBrains TeamCity Authentication Bypass Attempt (CVE-2024-27198) - Vulnerability Check"; flow:established,to_server; http.method; content:"GET"; http.uri; content:"jsp|3d|/app/rest/"; fast_pattern; pcre:"/^(users|server)/R"; content:"|3b|"; within:40; content:".jsp"; within:30; reference:cve,2024-27198; reference:url,www.rapid7.com/blog/post/2024/03/04/etr-cve-2024-27198-and-cve-2024-27199-jetbrains-teamcity-multiple-authentication-bypass-vulnerabilities-fixed/; classtype:attempted-recon; sid:2051505; rev:2; metadata:affected_product JetBrains_TeamCity, created_at 2024_03_06, cve CVE_2024_27198, deployment Perime
Suricata
ET WEB_SPECIFIC_APPS JetBrains TeamCity Authentication Bypass Attempt (CVE-2024-27199) M3
suricata·2024-03-06·CVSS 7.3
CVE-2024-27199 [HIGH] ET WEB_SPECIFIC_APPS JetBrains TeamCity Authentication Bypass Attempt (CVE-2024-27199) M3
ET WEB_SPECIFIC_APPS JetBrains TeamCity Authentication Bypass Attempt (CVE-2024-27199) M3
Rule: alert http any any -> $HOME_NET any (msg:"ET WEB_SPECIFIC_APPS JetBrains TeamCity Authentication Bypass Attempt (CVE-2024-27199) M3"; flow:established,to_server; http.method; pcre:"/^(GE|POS)T$/"; http.uri; pcre:"/^\x2f(res|update|\x2ewell-known\x2facme-challenge)\x2f/"; content:"|2e 2e|"; content:"/app/pipeline"; fast_pattern; distance:0; reference:cve,2024-27199; reference:url,www.rapid7.com/blog/post/2024/03/04/etr-cve-2024-27198-and-cve-2024-27199-jetbrains-teamcity-multiple-authentication-bypass-vulnerabilities-fixed/; classtype:bad-unknown; sid:2051511; rev:2; metadata:affected_product JetBrains_TeamCity, created_at 2024_03_06, cve CVE_2024_27199, deployment Perimeter, deployment Internal
Suricata
ET WEB_SPECIFIC_APPS JetBrains TeamCity Authentication Bypass Attempt (CVE-2024-27199) - Vulnerability Check
suricata·2024-03-06·CVSS 7.3
CVE-2024-27199 [HIGH] ET WEB_SPECIFIC_APPS JetBrains TeamCity Authentication Bypass Attempt (CVE-2024-27199) - Vulnerability Check
ET WEB_SPECIFIC_APPS JetBrains TeamCity Authentication Bypass Attempt (CVE-2024-27199) - Vulnerability Check
Rule: alert http any any -> $HOME_NET any (msg:"ET WEB_SPECIFIC_APPS JetBrains TeamCity Authentication Bypass Attempt (CVE-2024-27199) - Vulnerability Check"; flow:established,to_server; http.method; content:"GET"; http.uri; pcre:"/^\x2f(res|update|\x2ewell-known\x2facme-challenge)\x2f/"; content:"|2e 2e|"; content:"/admin/diagnostic.jsp"; fast_pattern; endswith; reference:cve,2024-27199; reference:url,www.rapid7.com/blog/post/2024/03/04/etr-cve-2024-27198-and-cve-2024-27199-jetbrains-teamcity-multiple-authentication-bypass-vulnerabilities-fixed/; classtype:attempted-recon; sid:2051508; rev:2; metadata:affected_product JetBrains_TeamCity, created_at 2024_03_06, cve CVE_2024_27199,
Suricata
ET WEB_SPECIFIC_APPS JetBrains TeamCity Authentication Bypass Attempt (CVE-2024-27199) M1
suricata·2024-03-06·CVSS 7.3
CVE-2024-27199 [HIGH] ET WEB_SPECIFIC_APPS JetBrains TeamCity Authentication Bypass Attempt (CVE-2024-27199) M1
ET WEB_SPECIFIC_APPS JetBrains TeamCity Authentication Bypass Attempt (CVE-2024-27199) M1
Rule: alert http any any -> $HOME_NET any (msg:"ET WEB_SPECIFIC_APPS JetBrains TeamCity Authentication Bypass Attempt (CVE-2024-27199) M1"; flow:established,to_server; http.method; pcre:"/^(GE|POS)T$/"; http.uri; pcre:"/^\x2f(res|update|\x2ewell-known\x2facme-challenge)\x2f/"; content:"|2e 2e|"; content:"/app/availableRunners"; fast_pattern; distance:0; reference:cve,2024-27199; reference:url,www.rapid7.com/blog/post/2024/03/04/etr-cve-2024-27198-and-cve-2024-27199-jetbrains-teamcity-multiple-authentication-bypass-vulnerabilities-fixed/; classtype:bad-unknown; sid:2051509; rev:2; metadata:affected_product JetBrains_TeamCity, created_at 2024_03_06, cve CVE_2024_27199, deployment Perimeter, deployment
Suricata
ET WEB_SPECIFIC_APPS JetBrains TeamCity Authentication Bypass Attempt (CVE-2024-27199) M4
suricata·2024-03-06·CVSS 7.3
CVE-2024-27199 [HIGH] ET WEB_SPECIFIC_APPS JetBrains TeamCity Authentication Bypass Attempt (CVE-2024-27199) M4
ET WEB_SPECIFIC_APPS JetBrains TeamCity Authentication Bypass Attempt (CVE-2024-27199) M4
Rule: alert http any any -> $HOME_NET any (msg:"ET WEB_SPECIFIC_APPS JetBrains TeamCity Authentication Bypass Attempt (CVE-2024-27199) M4"; flow:established,to_server; http.method; pcre:"/^(GE|POS)T$/"; http.uri; pcre:"/^\x2f(res|update|\x2ewell-known\x2facme-challenge)\x2f/"; content:"|2e 2e|"; content:"/app/oauth/space/createBuild.html"; endswith; fast_pattern; reference:cve,2024-27199; reference:url,www.rapid7.com/blog/post/2024/03/04/etr-cve-2024-27198-and-cve-2024-27199-jetbrains-teamcity-multiple-authentication-bypass-vulnerabilities-fixed/; classtype:bad-unknown; sid:2051512; rev:2; metadata:affected_product JetBrains_TeamCity, created_at 2024_03_06, cve CVE_2024_27199, deployment Perimeter, d
Suricata
ET WEB_SPECIFIC_APPS JetBrains TeamCity Authentication Bypass Attempt (CVE-2024-27198) - Admin User Creation Attempt
suricata·2024-03-06·CVSS 9.8
CVE-2024-27198 [CRITICAL] ET WEB_SPECIFIC_APPS JetBrains TeamCity Authentication Bypass Attempt (CVE-2024-27198) - Admin User Creation Attempt
ET WEB_SPECIFIC_APPS JetBrains TeamCity Authentication Bypass Attempt (CVE-2024-27198) - Admin User Creation Attempt
Rule: alert http any any -> [$HOME_NET,$HTTP_SERVERS] any (msg:"ET WEB_SPECIFIC_APPS JetBrains TeamCity Authentication Bypass Attempt (CVE-2024-27198) - Admin User Creation Attempt"; flow:established,to_server; http.method; content:"POST"; http.uri; content:"jsp|3d|/app/rest/users"; fast_pattern; content:".jsp"; within:30; http.request_body; content:"|7b|"; startswith; content:"|22|username|22 3a 20 22|"; content:"|22|password|22 3a 20 22|"; content:"|5b 7b 22|roleId|22 3a 20 22|SYSTEM_ADMIN"; reference:cve,2024-27198; reference:url,www.rapid7.com/blog/post/2024/03/04/etr-cve-2024-27198-and-cve-2024-27199-jetbrains-teamcity-multiple-authentication-bypass-vulnerabilities-fix
Exploit-DB
JetBrains TeamCity 2023.11.4 - Authentication Bypass
exploitdb·2025-08-11·CVSS 9.8
CVE-2024-27198 [CRITICAL] JetBrains TeamCity 2023.11.4 - Authentication Bypass
JetBrains TeamCity 2023.11.4 - Authentication Bypass
---
#!/usr/bin/env python3
# -*- coding: utf-8 -*-
"""
# Exploit Title: JetBrains TeamCity 2023.11.4 - Authentication Bypass
# Date: 2024-02-21
# Exploit Author: ibrahimsql (https://github.com/ibrahimsql)
# Vendor Homepage: https://www.jetbrains.com/teamcity/
# Version: =2.25.1
"""
import requests
import argparse
import sys
import json
from urllib.parse import urlparse
requests.packages.urllib3.disable_warnings()
class Colors:
RED = '\033[91m'
GREEN = '\033[92m'
YELLOW = '\033[93m'
BLUE = '\033[94m'
CYAN = '\033[96m'
BOLD = '\033[1m'
END = '\033[0m'
banner = f"""{Colors.CYAN}
████████╗███████╗ █████╗ ███╗ ███╗ ██████╗██╗████████╗██╗ ██╗
╚══██╔══╝██╔════╝██╔══██╗████╗ ████║██╔════╝██║╚══██╔══╝╚██╗ ██╔╝
██║ █████╗ ███████║██╔████╔██║
Nuclei
TeamCity < 2023.11.4 - Authentication Bypass
nuclei·CVSS 7.3
CVE-2024-27199 [HIGH] TeamCity < 2023.11.4 - Authentication Bypass
TeamCity < 2023.11.4 - Authentication Bypass
In JetBrains TeamCity before 2023.11.4 path traversal allowing to perform limited admin actions was possible
Template:
id: CVE-2024-27199
info:
name: TeamCity < 2023.11.4 - Authentication Bypass
author: DhiyaneshDk
severity: high
description: |
In JetBrains TeamCity before 2023.11.4 path traversal allowing to perform limited admin actions was possible
impact: |
Unauthenticated attackers can perform limited administrative actions on TeamCity servers via path traversal, potentially accessing sensitive build information.
remediation: |
Update JetBrains TeamCity to version 2023.11.4 or later.
reference:
- https://www.rapid7.com/blog/post/2024/03/04/etr-cve-2024-27198-and-cve-2024-27199-jetbrains-teamcity-multiple-authentication-bypass-vulnerabil
Metasploit
JetBrains TeamCity Unauthenticated Remote Code Execution
metasploit
JetBrains TeamCity Unauthenticated Remote Code Execution
JetBrains TeamCity Unauthenticated Remote Code Execution
This module exploits an authentication bypass vulnerability in JetBrains TeamCity. An unauthenticated attacker can leverage this to access the REST API and create a new administrator access token. This token can be used to upload a plugin which contains a Metasploit payload, allowing the attacker to achieve unauthenticated RCE on the target TeamCity server. On older versions of TeamCity, access tokens do not exist so the exploit will instead create a new administrator account before uploading a plugin. Older version of TeamCity have a debug endpoint (/app/rest/debug/process) that allows for arbitrary commands to be executed, however recent version of TeamCity no longer ship this endpoint, hence why a plugin is leveraged for code exe
Nuclei
TeamCity < 2023.11.4 - Authentication Bypass
nuclei·CVSS 9.8
CVE-2024-27198 [CRITICAL] TeamCity < 2023.11.4 - Authentication Bypass
TeamCity < 2023.11.4 - Authentication Bypass
In JetBrains TeamCity before 2023.11.4 authentication bypass allowing to perform admin actions was possible
Template:
id: CVE-2024-27198
info:
name: TeamCity < 2023.11.4 - Authentication Bypass
author: DhiyaneshDk
severity: critical
description: |
In JetBrains TeamCity before 2023.11.4 authentication bypass allowing to perform admin actions was possible
impact: |
Unauthenticated attackers can bypass authentication to perform administrative actions on TeamCity servers, potentially compromising build pipelines and source code.
remediation: |
Update JetBrains TeamCity to version 2023.11.4 or later.
reference:
- https://www.rapid7.com/blog/post/2024/03/04/etr-cve-2024-27198-and-cve-2024-27199-jetbrains-teamcity-multiple-authentication-bypass-vul
Hackernews
CISA Adds 8 Exploited Flaws to KEV, Sets April-May 2026 Federal Deadlines
blogs_hackernews·2026-04-21·CVSS 7.5
CVE-2023-27351 [HIGH] CISA Adds 8 Exploited Flaws to KEV, Sets April-May 2026 Federal Deadlines
Home
Threat Intelligence
Vulnerabilities
Cyber Attacks
Webinars
Expert Insights
Awards
Webinars
Awards
Free eBooks
About THN
Jobs
Advertise with us
## CISA Adds 8 Exploited Flaws to KEV, Sets April-May 2026 Federal Deadlines
The U.S. Cybersecurity and Infrastructure Security Agency (CISA) on Monday added eight new vulnerabilities to its Known Exploited Vulnerabilities ( KEV ) catalog, including three flaws impacting Cisco Catalyst SD-WAN Manager, citing evidence of active exploitation.
The list of vulnerabilities is as follows -
CVE-2023-27351 (CVSS score: 8.2) - An improper authentication vulnerability in PaperCut NG/MF that could allow an attacker to bypass authentication on affected installations via the SecurityRequestFilter class.
CVE-2024-27199 (CVSS score: 7.3) -
Hackernews
China-Linked Storm-1175 Exploits Zero-Days to Rapidly Deploy Medusa Ransomware
blogs_hackernews·2026-04-07·CVSS 8.8
[HIGH] China-Linked Storm-1175 Exploits Zero-Days to Rapidly Deploy Medusa Ransomware
Home
Threat Intelligence
Vulnerabilities
Cyber Attacks
Webinars
Expert Insights
Awards
Webinars
Awards
Free eBooks
About THN
Jobs
Advertise with us
## China-Linked Storm-1175 Exploits Zero-Days to Rapidly Deploy Medusa Ransomware
A China-based threat actor known for deploying Medusa ransomware has been linked to the weaponization of a combination of zero-day and N-day vulnerabilities to orchestrate "high-velocity" attacks and break into susceptible internet-facing systems.
"The threat actor's high operational tempo and proficiency in identifying exposed perimeter assets have proven successful, with recent intrusions heavily impacting healthcare organizations, as well as those in the education, professional services, and finance sectors in Australia, the United Kingdom, and
Bleepingcomputer
Microsoft links Medusa ransomware affiliate to zero-day attacks
blogs_bleepingcomputer·2026-04-06·CVSS 8.8
[HIGH] Microsoft links Medusa ransomware affiliate to zero-day attacks
## Microsoft links Medusa ransomware affiliate to zero-day attacks
## Sergiu Gatlan
"The threat actor's high operational tempo and proficiency in identifying exposed perimeter assets have proven successful, with recent intrusions heavily impacting healthcare organizations, as well as those in the education, professional services, and finance sectors in Australia, United Kingdom, and United States."
Microsoft has also observed Storm-1175 operators chaining multiple exploits to gain persistence on compromised systems by creating new user accounts, deploying remote monitoring and management software, stealing credentials, and disabling security software before dropping ransomware payloads.
In October, Microsoft reported that Storm-1175 had been exploiting a maximum-severity GoAnywhere MFT
Trendmicro
Earth Lamia Develops Custom Arsenal to Target Multiple Industries
blogs_trendmicro·2025-05-27
Earth Lamia Develops Custom Arsenal to Target Multiple Industries
APT & Targeted Attacks
# Earth Lamia Develops Custom Arsenal to Target Multiple Industries
Trend™ Research has been tracking an active APT threat actor named Earth Lamia, targeting multiple industries in Brazil, India and Southeast Asia countries at least since 2023. The threat actor primarily exploits vulnerabilities in web applications to gain access to targeted organizations.
By: Joseph C Chen
2025/05/27
Read time: ( words)
Save to Folio
Summary
- Trend Research has identified Earth Lamia as an APT threat actor that exploits vulnerabilities in web applications to gain access to organizations, using various techniques for data exfiltration.
- Earth Lamia develops and customizes hacking tools to evade detection, such as PULSEPACK and BypassBoss.
- Earth Lamia has primarily targeted
Greynoiseio
GreyNoise Detects Active Exploitation of CVEs Mentioned in Black Basta’s Leaked Chat Logs
blogs_greynoiseio·2025-02-26·CVSS 9.8
[CRITICAL] GreyNoise Detects Active Exploitation of CVEs Mentioned in Black Basta’s Leaked Chat Logs
CVE Disclosure Early Warning Get an early warning when traffic spikes indicate a high likelihood of new disclosures
Compromised Asset Detection Find out immediately if an asset communicates with a malicious IP address
Vulnerability Prioritization Get real-time insight into active exploitation trends to better understand risk and severity
SOC Efficiency Filter out noisy, low priority and false-positive alerts from mass internet scanners
Incident Investigation Add context to incidents to speed the determinations of scope and timelines
Threat Hunting Quickly identify anomalous behavior and enrich your threat hunting campaigns
Why GreyNoise
CVE Disclosure Early Warning Get an early warning when traffic spikes indicate a high likelihood of new disclosures
Compromised Asset Detection Fin
Qualys
Defense Lessons From the Black Basta Ransomware Playbook
blogs_qualys·2025-02-25
Defense Lessons From the Black Basta Ransomware Playbook
## Table of Contents
Know Your Enemys Playbook
Attackers Move Fast
How Qualys Can Help
The cybersecurity world was rocked last week by a massive leak of Black Basta’s internal communications that emerged from the group’s chat logs. Triggered by internal conflicts and a retaliatory data dump following attacks on Russian banks, the exposed records offer a rare glimpse into Black Basta’s tactics, operations, and leadership.
We’ve analyzed these newly unveiled tactics, and in this blog, we equip security teams with clear, actionable insights. We aim to highlight the key lessons learned—like immediate patching, tighter access controls, and rapid incident response—and provide an urgent call to action. This practical guide aims to help organizations strengthen their defenses against evolving
Qualys
Defense Lessons From the Black Basta Ransomware Playbook | Qualys
blogs_qualys·2025-02-25
Defense Lessons From the Black Basta Ransomware Playbook | Qualys
#### Table of Contents
- Know Your Enemys Playbook
- Attackers Move Fast
- How Qualys Can Help
The cybersecurity world was rocked last week by a massive leak of Black Basta’s internal communications that emerged from the group’s chat logs. Triggered by internal conflicts and a retaliatory data dump following attacks on Russian banks, the exposed records offer a rare glimpse into Black Basta’s tactics, operations, and leadership.
We’ve analyzed these newly unveiled tactics, and in this blog, we equip security teams with clear, actionable insights. We aim to highlight the key lessons learned—like immediate patching, tighter access controls, and rapid incident response—and provide an urgent call to action. This practical guide aims to help organizations strengthen their defenses against ev
Unit42
Ransomware Review: First Half of 2024
blogs_unit42·2024-08-09·CVSS 9.1
CVE-2018-13379 [CRITICAL] Ransomware Review: First Half of 2024
Threat Research Center
Trend Reports
Ransomware
## Ransomware Review: First Half of 2024
Amanda Tanner
Kristopher Bleich
Published: August 9, 2024
Cybercrime
Ransomware
Trend Reports
Alpha
ALPHV
Ambitious Scorpius
Anemic Scorpius
AvosLocker
Bashful Scorpius
Black Basta
Blackcat
Blackout
BreachForums
Burning Scorpius
Buzzing Scorpius
Chubby Scorpius
CL0P
CVE-2018-13379
CVE-2020-1472
CVE-2024-1708
CVE-2024-1709
CVE-2024-26169
CVE-2024-27198
CVE-2024-4577
Dark Scorpius
DoNex
DragonForce
Drowsy Scorpius
Flighty Scorpius
GhostSec
Healthcare
Hive
Hunters International
Ignoble Scorpius
Karakurt
KelvinSecurity
Leak site
LockBit
Losttrust
LukaLocker
Manufacturing
Muddled Libra
Mushy Scorpius
MyData
NoEscape
Nokoyawa
Qilin
Quilong
Ragnar Locke
Unit42
Ransomware Review: First Half of 2024
blogs_unit42·2024-08-09
Ransomware Review: First Half of 2024
## Executive Summary
Unit 42 monitors ransomware and extortion leak sites closely to keep tabs on threat activity. We reviewed compromise announcements from 53 dedicated leak sites in the first half of 2024 and found 1,762 new posts. This averages to approximately 294 posts a month and almost 68 posts a week. Of the 53 ransomware groups whose leak sites we monitored, six of the groups accounted for more than half of the compromises observed.
In February, we reported a 49% increase year-over-year in alleged victims posted on ransomware leak sites. So far, in 2024, comparing the first half of 2023 to the first half of 2024, we see an even further increase of 4.3%. The higher level of activity observed in 2023 was no fluke.
Activity from groups like Ambitious Scorpius (distributors of Blac
Securelist
Exploits and vulnerabilities in Q1 2024
blogs_securelist·2024-05-07·CVSS 7.8
CVE-2024-3094 [HIGH] Exploits and vulnerabilities in Q1 2024
Table of Contents
Statistics on registered vulnerabilities
Exploitation statistics
Windows and Linux vulnerability exploitation
Public exploit statistics
Most prevalent exploits
Vulnerability exploitation in APT attacks
Notable Q1 2024 vulnerabilities
CVE-2024-3094 (XZ)
CVE-2024-20656 (Visual Studio)
CVE-2024-21626 (runc)
CVE-2024-1708 (ScreenConnect)
CVE-2024-21412 (Windows Defender)
CVE-2024-27198 (TeamCity)
CVE-2023-38831 (WinRAR)
Conclusions and advice
Authors
Alexander Kolesnikov
Vitaly Morgunov
We at Kaspersky continuously monitor the evolving cyberthreat landscape to ensure we respond promptly to emerging threats, equipping our products with detection logic and technology. Software vulnerabilities that threat actors can exploit or are already actively exploiting a
Securelist
Analyzing the vulnerability landscape in Q1 2024
blogs_securelist·2024-05-07
Analyzing the vulnerability landscape in Q1 2024
Table of Contents
- Statistics on registered vulnerabilities
- Exploitation statistics
- Vulnerability exploitation in APT attacks
- Notable Q1 2024 vulnerabilities
- Conclusions and advice
Authors
- Alexander Kolesnikov
- Vitaly Morgunov
We at Kaspersky continuously monitor the evolving cyberthreat landscape to ensure we respond promptly to emerging threats, equipping our products with detection logic and technology. Software vulnerabilities that threat actors can exploit or are already actively exploiting are a critical component of that landscape. In this report, we present a series of insightful statistical and analytical snapshots relating to the trends in the emergence of new vulnerabilities and exploits, as well as the most prevalent vulnerabilities being used by attackers. Add
Checkpoint
11th March – Threat Intelligence Report
blogs_checkpoint·2024-03-11·CVSS 8.2
CVE-2023-46805 [HIGH] 11th March – Threat Intelligence Report
Latest Publications
CPR Podcast Channel
AI Research
Web 3.0 Security
Intelligence Reports
ThreatCloud AI
Threat Intelligence & Research
Zero Day Protection
Sandblast File Analysis
About Us
SUBSCRIBE
2026
2025
2024
2023
2022
2021
2020
2019
2018
2017
2016
## 11th March – Threat Intelligence Report
For the latest discoveries in cyber research for the week of 11th March, please download our Threat_Intelligence Bulletin .
TOP ATTACKS AND BREACHES
Cybersecurity and Infrastructure Security Agency (CISA) has taken offline two systems following a breach that occurred as a result of the recent vulnerabilities exploitation in Ivanti products. The affected systems potentially include the Infrastructure Protection Gateway and the Chemical Security Assessment Tool, holding sen
Bleepingcomputer
Critical TeamCity flaw now widely exploited to create admin accounts
blogs_bleepingcomputer·2024-03-06·CVSS 9.8
CVE-2024-27198 [CRITICAL] Critical TeamCity flaw now widely exploited to create admin accounts
## Critical TeamCity flaw now widely exploited to create admin accounts
## Ionut Ilascu
Hackers have started to exploit the critical-severity authentication bypass vulnerability (CVE-2024-27198) in TeamCity On-Premises, which JetBrains addressed in an update on Monday.
Exploitation appears to be massive, with hundreds of new users created on unpatched instances of TeamCity exposed on the public web.
## Risk of supply-chain attacks
LeakIX , a search engine for exposed device misconfigurations and vulnerabilities, told BleepingComputer that a little over 1,700 TeamCity servers have yet to receive the fix.
Most of the vulnerable hosts indexed by LeakIX are in Germany, the United States, and Russia, followed at a distance by China, the Netherlands, and France.
Of these, the platform ind
Wiz
TeamCity Authentication Bypass Vulnerabilities: An Analysis | Wiz Blog
blogs_wiz·2024-03-06·CVSS 9.8
CVE-2024-27198 [CRITICAL] TeamCity Authentication Bypass Vulnerabilities: An Analysis | Wiz Blog
On March 4, 2024, JetBrains released a patch for two critical and high severity authentication bypass vulnerabilities — CVE-2024-27198 (CVSS score: 9.8) and CVE-2024-27199 (CVSS score: 7.3). Each of these vulnerabilities may enable an unauthenticated attacker who has HTTP(s) access to a TeamCity server to bypass authentication checks and gain administrative control of the server. Exploitation attempts have been observed in the wild; it is highly recommended to upgrade TeamCity to the patched version or apply the “security patch” plugin as a workaround.
## March 10, 2024 update:
On March 7, 2024, CVE-2024-27198 was added to the CISA Known Exploited Vulnerabilities catalog based on evidence of active exploitation.
## What is CVE-2024-27198?
jetbrains.buildServer.controllers.BaseControlle
Wiz
TeamCity Authentication Bypass Vulnerabilities: An Analysis | Wiz Blog
blogs_wiz·2024-03-06·CVSS 9.8
CVE-2024-27198 [CRITICAL] TeamCity Authentication Bypass Vulnerabilities: An Analysis | Wiz Blog
On March 4, 2024, JetBrains released a patch for two critical and high severity authentication bypass vulnerabilities — CVE-2024-27198 (CVSS score: 9.8) and CVE-2024-27199 (CVSS score: 7.3). Each of these vulnerabilities may enable an unauthenticated attacker who has HTTP(s) access to a TeamCity server to bypass authentication checks and gain administrative control of the server. Exploitation attempts have been observed in the wild; it is highly recommended to upgrade TeamCity to the patched version or apply the “security patch” plugin as a workaround.
#### March 10, 2024 update:
On March 7, 2024, CVE-2024-27198 was added to the CISA Known Exploited Vulnerabilities catalog based on evidence of active exploitation.
# What is CVE-2024-27198?
This critical vulnerability allows remote unau
Tenable
CVE-2024-27198, CVE-2024-27199: Two Authentication Bypass Vulnerabilities in JetBrains TeamCity
blogs_tenable·2024-03-06·CVSS 9.8
[CRITICAL] CVE-2024-27198, CVE-2024-27199: Two Authentication Bypass Vulnerabilities in JetBrains TeamCity
## Cloud Exposure
Tenable Cloud Security (CNAPP) Request a demo
Tenable Cloud Vulnerability Management Request a demo
Tenable CIEM Request a demo
Secure your cloud
## Vulnerability Exposure
Tenable Vulnerability Management Try for free
Tenable Security Center Request a demo
Tenable Web App Scanning Try for free
Tenable Patch Management Request a demo
Tenable Enclave Security Request a demo
Tenable Attack Surface Management Request a demo
Tenable Nessus Try for free
## AI Exposure
Tenable AI Exposure Request a demo
## OT/IoT Exposure
Tenable OT Security Request a demo
## Identity Exposure
Tenable Identity Exposure Request a demo
## Business needs
Active Directory
AI Security Posture Management (AI-SPM)
AWS security
Azure security
Cloud Security Posture Man
Bleepingcomputer
Exploit available for new critical TeamCity auth bypass bug, patch now
blogs_bleepingcomputer·2024-03-04·CVSS 9.8
CVE-2024-27198 [CRITICAL] Exploit available for new critical TeamCity auth bypass bug, patch now
## Exploit available for new critical TeamCity auth bypass bug, patch now
## Ionut Ilascu
A critical vulnerability (CVE-2024-27198) in the TeamCity On-Premises CI/CD solution from JetBrains can let a remote unauthenticated attacker take control of the server with administrative permissions.
Since full technical details to create an exploit are available, administrators are strongly recommended to prioritize addressing the issue by updating to the latest version of the product or installing a security patch plugin from the vendor.
JetBrains released a new version of the product, which includes a fix for a second, less severe security issue (CVE-2024-27199) that allows modifying a limited number of system settings without the need to authenticate.
Both issues are in the web component of
Greynoiseio
The Patches & Perils Of Coordinated Vulnerability Disclosure
blogs_greynoiseio·CVSS 9.8
[CRITICAL] The Patches & Perils Of Coordinated Vulnerability Disclosure
CVE Disclosure Early Warning Get an early warning when traffic spikes indicate a high likelihood of new disclosures
Compromised Asset Detection Find out immediately if an asset communicates with a malicious IP address
Vulnerability Prioritization Get real-time insight into active exploitation trends to better understand risk and severity
SOC Efficiency Filter out noisy, low priority and false-positive alerts from mass internet scanners
Incident Investigation Add context to incidents to speed the determinations of scope and timelines
Threat Hunting Quickly identify anomalous behavior and enrich your threat hunting campaigns
Why GreyNoise
CVE Disclosure Early Warning Get an early warning when traffic spikes indicate a high likelihood of new disclosures
Compromised Asset Detection Fin
Greynoiseio
NoiseLetter March 2024
blogs_greynoiseio
NoiseLetter March 2024
CVE Disclosure Early Warning Get an early warning when traffic spikes indicate a high likelihood of new disclosures
Compromised Asset Detection Find out immediately if an asset communicates with a malicious IP address
Vulnerability Prioritization Get real-time insight into active exploitation trends to better understand risk and severity
SOC Efficiency Filter out noisy, low priority and false-positive alerts from mass internet scanners
Incident Investigation Add context to incidents to speed the determinations of scope and timelines
Threat Hunting Quickly identify anomalous behavior and enrich your threat hunting campaigns
Why GreyNoise
CVE Disclosure Early Warning Get an early warning when traffic spikes indicate a high likelihood of new disclosures
Compromised Asset Detection Fin
arXiv
ZeroDayBench: Evaluating LLM Agents on Unseen Zero-Day Vulnerabilities for Cyberdefense
arxiv_fulltext·2026-03-02
ZeroDayBench: Evaluating LLM Agents on Unseen Zero-Day Vulnerabilities for Cyberdefense
## Abstract
Large language models (LLMs) are increasingly being deployed as software engineering agents that autonomously contribute to repositories. A major benefit these agents present is their ability to find and patch security vulnerabilities in the codebases they oversee. To estimate the capability of agents in this domain, we introduce ZeroDayBench, a benchmark where LLM agents find and patch 22 novel critical vulnerabilities in open-source codebases. We focus our efforts on three popular frontier agentic LLMs: GPT-5.2, Claude Sonnet 4.5, and Grok 4.1. We find that frontier LLMs are not yet capable of autonomously solving our tasks and observe some behavioral patterns that suggest how these models can be improved in the domain of proactive cyberdefense.
## Introduction
Large langu
CTF
README
ctf_writeups
README
# CTF Writeups
Welcome to my CTF Writeups repository! Here, I document the solutions and methodologies used to solve various Capture The Flag (CTF) challenges. This repository is intended to serve as a learning resource for others interested in cybersecurity and CTF competitions.
Capture The Flag (CTF) competitions are a popular way to practice and improve cybersecurity skills. These competitions present various challenges that require problem-solving, creativity, and technical knowledge.
## Writeups
The writeups in this repository (located in the "writeups" folder) are categorised based on the nature of the challenge. Each writeup provides step-by-step solutions, along with explanations of the tools and techniques used. The difficulty rating associated with each challenge matches the dif
https://www.darkreading.com/cyberattacks-data-breaches/jetbrains-teamcity-mass-exploitation-underway-rogue-accounts-thrivehttps://www.jetbrains.com/privacy-security/issues-fixed/https://www.darkreading.com/cyberattacks-data-breaches/jetbrains-teamcity-mass-exploitation-underway-rogue-accounts-thrivehttps://www.jetbrains.com/privacy-security/issues-fixed/https://www.cisa.gov/known-exploited-vulnerabilities-catalog?field_cve=CVE-2024-27198
2024-03-04
Published
2024-03-07
Added to CISA KEV
Exploited in the wild