CVE-2024-27199
published 2024-03-04CVE-2024-27199: In JetBrains TeamCity before 2023.11.4 path traversal allowing to perform limited admin actions was possible
PriorityP192high7.3CVSS 3.1
AVNACLPRNUINSUCLILAL
KEVITWEXPLOITRansomwareInitial access
CISA Known Exploited Vulnerabilitydue 2026-05-04
Exploited in the wild
EPSS
99.99%
100.0th percentile
In JetBrains TeamCity before 2023.11.4 path traversal allowing to perform limited admin actions was possible
Affected
1 ranges
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| jetbrains | teamcity | < 2023.11.4 | 2023.11.4 |
Detection & IOCsextracted from sources · hover to see the quote
yara↗
nuclei template CVE-2024-27199: GET paths /res/../admin/diagnostic.jsp, /.well-known/acme-challenge/../../admin/diagnostic.jsp, /update/../admin/diagnostic.jsp; match: status_code==200, header contains text/html, body contains_all 'Debug Logging','CPU & Memory Usage'
- →CVE-2024-27199 exploits path traversal via unauthenticated GET requests to paths prefixed with /res/, /update/, or /.well-known/acme-challenge/ to reach /admin/diagnostic.jsp. Detect HTTP 200 responses to these traversal paths from unauthenticated sources. ↗
- →Successful exploitation of CVE-2024-27199 returns HTTP 200 with a body containing both 'Debug Logging' and 'CPU & Memory Usage' strings, indicating access to the admin diagnostic page without authentication. ↗
- →CVE-2024-27199 can be abused to upload a rogue HTTPS certificate via /app/https/settings/uploadCertificate, enabling adversary-in-the-middle attacks or DoS by changing the HTTPS port number. ↗
- →Monitor TeamCity servers for unexpected rogue administrator account creation, which is a strong indicator of post-exploitation activity following CVE-2024-27199 or CVE-2024-27198 exploitation. ↗
- →Use Shodan query 'http.component:"TeamCity"' to identify internet-exposed TeamCity instances for asset inventory and attack surface reduction. ↗
- ·CVE-2024-27199 only affects on-premises TeamCity installations through version 2023.11.3. TeamCity Cloud instances were patched automatically and show no evidence of exploitation. ↗
- ·The path traversal bypass is limited in scope compared to CVE-2024-27198; it allows only a limited number of admin actions (e.g., certificate upload, HTTPS port change, diagnostic page access) rather than full administrative control. ↗
- ·The security patch plugin workaround is available for TeamCity versions 2018.2 and newer as well as 2018.1 and older, for organizations unable to immediately upgrade to 2023.11.4. ↗
CVSS provenance
nvdv3.17.3HIGHCVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:L
vulncheck7.3HIGH
cisa7.3HIGH
CVEs like this are exactly what “Exploited This Week” covers.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
VulDB
JetBrains TeamCity up to 2023.11.3 path traversal
vuldb·2026-04-21·CVSS 7.3
CVE-2024-27199 [HIGH] JetBrains TeamCity up to 2023.11.3 path traversal
A vulnerability labeled as problematic has been found in JetBrains TeamCity. Affected by this vulnerability is an unknown functionality. Executing a manipulation can lead to relative path traversal.
This vulnerability is handled as CVE-2024-27199. The attack can be executed remotely. Additionally, an exploit exists.
The affected component should be upgraded.
GHSA
GHSA-m7gg-q7qj-3r2r: In JetBrains TeamCity before 2023
ghsa_unreviewed·2024-03-04
CVE-2024-27199 [HIGH] CWE-22 GHSA-m7gg-q7qj-3r2r: In JetBrains TeamCity before 2023
In JetBrains TeamCity before 2023.11.4 path traversal allowing to perform limited admin actions was possible
VulnCheck
JetBrains TeamCity Authentication Bypass
vulncheck·2024·CVSS 7.3
CVE-2024-27199 [HIGH] JetBrains TeamCity Authentication Bypass
JetBrains TeamCity Authentication Bypass
Authentication bypass vulnerability in the web component of JetBrains TeamCity
Affected: JetBrains TeamCity
Required Action: Apply remediations or mitigations per vendor instructions or discontinue use of the product if remediation or mitigations are unavailable.
Known Ransomware Campaign Use: Known
Exploitation References: https://attackerkb.com/topics/ADUie1mrpK/cve-2024-27199#exploited-in-the-wild_e28f53e6-cf6f-4b91-89be-6cb19dfd4315; https://blog.jetbrains.com/teamcity/2024/03/preventing-exploits-jetbrains-ethical-approach-to-vulnerability-disclosure/; https://dashboard.shadowserver.org/statistics/honeypot/vulnerability/map/?day=2024-03-17&host_type=src&vulnerability=cve-2024-27199; https://dashboard.shadowserver.org/statistics/honeypot/vul
CISA
JetBrains TeamCity Relative Path Traversal Vulnerability
cisa·2026-04-20·CVSS 7.3
CVE-2024-27199 [HIGH] CWE-23 JetBrains TeamCity Relative Path Traversal Vulnerability
Vulnerability: JetBrains TeamCity Relative Path Traversal Vulnerability
Affected: JetBrains TeamCity
JetBrains TeamCity contains a relative path traversal vulnerability that could allow limited admin actions to be performed.
Required Action: Apply mitigations per vendor instructions, follow applicable BOD 22-01 guidance for cloud services, or discontinue use of the product if mitigations are unavailable.
Notes: https://www.jetbrains.com/privacy-security/issues-fixed/ ; https://blog.jetbrains.com/teamcity/2024/03/additional-critical-security-issues-affecting-teamcity-on-premises-cve-2024-27198-and-cve-2024-27199-update-to-2023-11-4-now/ ; https://nvd.nist.gov/vuln/detail/CVE-2024-27199
Remediation Due Date: 2026-05-04
Suricata
ET WEB_SPECIFIC_APPS JetBrains TeamCity Authentication Bypass Attempt (CVE-2024-27198) - Auth Token Creation Attempt
suricata·2024-03-06·CVSS 9.8
CVE-2024-27198 [CRITICAL] ET WEB_SPECIFIC_APPS JetBrains TeamCity Authentication Bypass Attempt (CVE-2024-27198) - Auth Token Creation Attempt
ET WEB_SPECIFIC_APPS JetBrains TeamCity Authentication Bypass Attempt (CVE-2024-27198) - Auth Token Creation Attempt
Rule: alert http any any -> $HOME_NET any (msg:"ET WEB_SPECIFIC_APPS JetBrains TeamCity Authentication Bypass Attempt (CVE-2024-27198) - Auth Token Creation Attempt"; flow:established,to_server; http.method; content:"POST"; http.uri; content:"jsp|3d|/app/rest/users/id|3a|"; fast_pattern; content:"/tokens/"; within:12; content:"|3b|"; within:30; content:".jsp"; within:30; reference:cve,2024-27198; reference:url,www.rapid7.com/blog/post/2024/03/04/etr-cve-2024-27198-and-cve-2024-27199-jetbrains-teamcity-multiple-authentication-bypass-vulnerabilities-fixed/; classtype:attempted-admin; sid:2051507; rev:2; metadata:affected_product JetBrains_TeamCity, created_at 2024_03_06, cve
Suricata
ET WEB_SPECIFIC_APPS JetBrains TeamCity Authentication Bypass Attempt (CVE-2024-27199) M2
suricata·2024-03-06·CVSS 7.3
CVE-2024-27199 [HIGH] ET WEB_SPECIFIC_APPS JetBrains TeamCity Authentication Bypass Attempt (CVE-2024-27199) M2
ET WEB_SPECIFIC_APPS JetBrains TeamCity Authentication Bypass Attempt (CVE-2024-27199) M2
Rule: alert http any any -> $HOME_NET any (msg:"ET WEB_SPECIFIC_APPS JetBrains TeamCity Authentication Bypass Attempt (CVE-2024-27199) M2"; flow:established,to_server; http.method; pcre:"/^(GE|POS)T$/"; http.uri; pcre:"/^\x2f(res|update|\x2ewell-known\x2facme-challenge)\x2f/"; content:"|2e 2e|"; content:"/app/https/settings/"; fast_pattern; distance:0; reference:cve,2024-27199; reference:url,www.rapid7.com/blog/post/2024/03/04/etr-cve-2024-27198-and-cve-2024-27199-jetbrains-teamcity-multiple-authentication-bypass-vulnerabilities-fixed/; classtype:bad-unknown; sid:2051510; rev:2; metadata:affected_product JetBrains_TeamCity, created_at 2024_03_06, cve CVE_2024_27199, deployment Perimeter, deployment I
Suricata
ET WEB_SPECIFIC_APPS JetBrains TeamCity Authentication Bypass Attempt (CVE-2024-27198) - Vulnerability Check
suricata·2024-03-06·CVSS 9.8
CVE-2024-27198 [CRITICAL] ET WEB_SPECIFIC_APPS JetBrains TeamCity Authentication Bypass Attempt (CVE-2024-27198) - Vulnerability Check
ET WEB_SPECIFIC_APPS JetBrains TeamCity Authentication Bypass Attempt (CVE-2024-27198) - Vulnerability Check
Rule: alert http any any -> $HOME_NET any (msg:"ET WEB_SPECIFIC_APPS JetBrains TeamCity Authentication Bypass Attempt (CVE-2024-27198) - Vulnerability Check"; flow:established,to_server; http.method; content:"GET"; http.uri; content:"jsp|3d|/app/rest/"; fast_pattern; pcre:"/^(users|server)/R"; content:"|3b|"; within:40; content:".jsp"; within:30; reference:cve,2024-27198; reference:url,www.rapid7.com/blog/post/2024/03/04/etr-cve-2024-27198-and-cve-2024-27199-jetbrains-teamcity-multiple-authentication-bypass-vulnerabilities-fixed/; classtype:attempted-recon; sid:2051505; rev:2; metadata:affected_product JetBrains_TeamCity, created_at 2024_03_06, cve CVE_2024_27198, deployment Perime
Suricata
ET WEB_SPECIFIC_APPS JetBrains TeamCity Authentication Bypass Attempt (CVE-2024-27199) M3
suricata·2024-03-06·CVSS 7.3
CVE-2024-27199 [HIGH] ET WEB_SPECIFIC_APPS JetBrains TeamCity Authentication Bypass Attempt (CVE-2024-27199) M3
ET WEB_SPECIFIC_APPS JetBrains TeamCity Authentication Bypass Attempt (CVE-2024-27199) M3
Rule: alert http any any -> $HOME_NET any (msg:"ET WEB_SPECIFIC_APPS JetBrains TeamCity Authentication Bypass Attempt (CVE-2024-27199) M3"; flow:established,to_server; http.method; pcre:"/^(GE|POS)T$/"; http.uri; pcre:"/^\x2f(res|update|\x2ewell-known\x2facme-challenge)\x2f/"; content:"|2e 2e|"; content:"/app/pipeline"; fast_pattern; distance:0; reference:cve,2024-27199; reference:url,www.rapid7.com/blog/post/2024/03/04/etr-cve-2024-27198-and-cve-2024-27199-jetbrains-teamcity-multiple-authentication-bypass-vulnerabilities-fixed/; classtype:bad-unknown; sid:2051511; rev:2; metadata:affected_product JetBrains_TeamCity, created_at 2024_03_06, cve CVE_2024_27199, deployment Perimeter, deployment Internal
Suricata
ET WEB_SPECIFIC_APPS JetBrains TeamCity Authentication Bypass Attempt (CVE-2024-27199) - Vulnerability Check
suricata·2024-03-06·CVSS 7.3
CVE-2024-27199 [HIGH] ET WEB_SPECIFIC_APPS JetBrains TeamCity Authentication Bypass Attempt (CVE-2024-27199) - Vulnerability Check
ET WEB_SPECIFIC_APPS JetBrains TeamCity Authentication Bypass Attempt (CVE-2024-27199) - Vulnerability Check
Rule: alert http any any -> $HOME_NET any (msg:"ET WEB_SPECIFIC_APPS JetBrains TeamCity Authentication Bypass Attempt (CVE-2024-27199) - Vulnerability Check"; flow:established,to_server; http.method; content:"GET"; http.uri; pcre:"/^\x2f(res|update|\x2ewell-known\x2facme-challenge)\x2f/"; content:"|2e 2e|"; content:"/admin/diagnostic.jsp"; fast_pattern; endswith; reference:cve,2024-27199; reference:url,www.rapid7.com/blog/post/2024/03/04/etr-cve-2024-27198-and-cve-2024-27199-jetbrains-teamcity-multiple-authentication-bypass-vulnerabilities-fixed/; classtype:attempted-recon; sid:2051508; rev:2; metadata:affected_product JetBrains_TeamCity, created_at 2024_03_06, cve CVE_2024_27199,
Suricata
ET WEB_SPECIFIC_APPS JetBrains TeamCity Authentication Bypass Attempt (CVE-2024-27199) M1
suricata·2024-03-06·CVSS 7.3
CVE-2024-27199 [HIGH] ET WEB_SPECIFIC_APPS JetBrains TeamCity Authentication Bypass Attempt (CVE-2024-27199) M1
ET WEB_SPECIFIC_APPS JetBrains TeamCity Authentication Bypass Attempt (CVE-2024-27199) M1
Rule: alert http any any -> $HOME_NET any (msg:"ET WEB_SPECIFIC_APPS JetBrains TeamCity Authentication Bypass Attempt (CVE-2024-27199) M1"; flow:established,to_server; http.method; pcre:"/^(GE|POS)T$/"; http.uri; pcre:"/^\x2f(res|update|\x2ewell-known\x2facme-challenge)\x2f/"; content:"|2e 2e|"; content:"/app/availableRunners"; fast_pattern; distance:0; reference:cve,2024-27199; reference:url,www.rapid7.com/blog/post/2024/03/04/etr-cve-2024-27198-and-cve-2024-27199-jetbrains-teamcity-multiple-authentication-bypass-vulnerabilities-fixed/; classtype:bad-unknown; sid:2051509; rev:2; metadata:affected_product JetBrains_TeamCity, created_at 2024_03_06, cve CVE_2024_27199, deployment Perimeter, deployment
Suricata
ET WEB_SPECIFIC_APPS JetBrains TeamCity Authentication Bypass Attempt (CVE-2024-27199) M4
suricata·2024-03-06·CVSS 7.3
CVE-2024-27199 [HIGH] ET WEB_SPECIFIC_APPS JetBrains TeamCity Authentication Bypass Attempt (CVE-2024-27199) M4
ET WEB_SPECIFIC_APPS JetBrains TeamCity Authentication Bypass Attempt (CVE-2024-27199) M4
Rule: alert http any any -> $HOME_NET any (msg:"ET WEB_SPECIFIC_APPS JetBrains TeamCity Authentication Bypass Attempt (CVE-2024-27199) M4"; flow:established,to_server; http.method; pcre:"/^(GE|POS)T$/"; http.uri; pcre:"/^\x2f(res|update|\x2ewell-known\x2facme-challenge)\x2f/"; content:"|2e 2e|"; content:"/app/oauth/space/createBuild.html"; endswith; fast_pattern; reference:cve,2024-27199; reference:url,www.rapid7.com/blog/post/2024/03/04/etr-cve-2024-27198-and-cve-2024-27199-jetbrains-teamcity-multiple-authentication-bypass-vulnerabilities-fixed/; classtype:bad-unknown; sid:2051512; rev:2; metadata:affected_product JetBrains_TeamCity, created_at 2024_03_06, cve CVE_2024_27199, deployment Perimeter, d
Suricata
ET WEB_SPECIFIC_APPS JetBrains TeamCity Authentication Bypass Attempt (CVE-2024-27198) - Admin User Creation Attempt
suricata·2024-03-06·CVSS 9.8
CVE-2024-27198 [CRITICAL] ET WEB_SPECIFIC_APPS JetBrains TeamCity Authentication Bypass Attempt (CVE-2024-27198) - Admin User Creation Attempt
ET WEB_SPECIFIC_APPS JetBrains TeamCity Authentication Bypass Attempt (CVE-2024-27198) - Admin User Creation Attempt
Rule: alert http any any -> [$HOME_NET,$HTTP_SERVERS] any (msg:"ET WEB_SPECIFIC_APPS JetBrains TeamCity Authentication Bypass Attempt (CVE-2024-27198) - Admin User Creation Attempt"; flow:established,to_server; http.method; content:"POST"; http.uri; content:"jsp|3d|/app/rest/users"; fast_pattern; content:".jsp"; within:30; http.request_body; content:"|7b|"; startswith; content:"|22|username|22 3a 20 22|"; content:"|22|password|22 3a 20 22|"; content:"|5b 7b 22|roleId|22 3a 20 22|SYSTEM_ADMIN"; reference:cve,2024-27198; reference:url,www.rapid7.com/blog/post/2024/03/04/etr-cve-2024-27198-and-cve-2024-27199-jetbrains-teamcity-multiple-authentication-bypass-vulnerabilities-fix
Nuclei
TeamCity < 2023.11.4 - Authentication Bypass
nuclei·CVSS 7.3
CVE-2024-27199 [HIGH] TeamCity < 2023.11.4 - Authentication Bypass
TeamCity < 2023.11.4 - Authentication Bypass
In JetBrains TeamCity before 2023.11.4 path traversal allowing to perform limited admin actions was possible
Template:
id: CVE-2024-27199
info:
name: TeamCity < 2023.11.4 - Authentication Bypass
author: DhiyaneshDk
severity: high
description: |
In JetBrains TeamCity before 2023.11.4 path traversal allowing to perform limited admin actions was possible
impact: |
Unauthenticated attackers can perform limited administrative actions on TeamCity servers via path traversal, potentially accessing sensitive build information.
remediation: |
Update JetBrains TeamCity to version 2023.11.4 or later.
reference:
- https://www.rapid7.com/blog/post/2024/03/04/etr-cve-2024-27198-and-cve-2024-27199-jetbrains-teamcity-multiple-authentication-bypass-vulnerabil
Nuclei
TeamCity < 2023.11.4 - Authentication Bypass
nuclei·CVSS 9.8
CVE-2024-27198 [CRITICAL] TeamCity < 2023.11.4 - Authentication Bypass
TeamCity < 2023.11.4 - Authentication Bypass
In JetBrains TeamCity before 2023.11.4 authentication bypass allowing to perform admin actions was possible
Template:
id: CVE-2024-27198
info:
name: TeamCity < 2023.11.4 - Authentication Bypass
author: DhiyaneshDk
severity: critical
description: |
In JetBrains TeamCity before 2023.11.4 authentication bypass allowing to perform admin actions was possible
impact: |
Unauthenticated attackers can bypass authentication to perform administrative actions on TeamCity servers, potentially compromising build pipelines and source code.
remediation: |
Update JetBrains TeamCity to version 2023.11.4 or later.
reference:
- https://www.rapid7.com/blog/post/2024/03/04/etr-cve-2024-27198-and-cve-2024-27199-jetbrains-teamcity-multiple-authentication-bypass-vul
Hackernews
CISA Adds 8 Exploited Flaws to KEV, Sets April-May 2026 Federal Deadlines
blogs_hackernews·2026-04-21·CVSS 7.5
CVE-2023-27351 [HIGH] CISA Adds 8 Exploited Flaws to KEV, Sets April-May 2026 Federal Deadlines
Home
Threat Intelligence
Vulnerabilities
Cyber Attacks
Webinars
Expert Insights
Awards
Webinars
Awards
Free eBooks
About THN
Jobs
Advertise with us
## CISA Adds 8 Exploited Flaws to KEV, Sets April-May 2026 Federal Deadlines
The U.S. Cybersecurity and Infrastructure Security Agency (CISA) on Monday added eight new vulnerabilities to its Known Exploited Vulnerabilities ( KEV ) catalog, including three flaws impacting Cisco Catalyst SD-WAN Manager, citing evidence of active exploitation.
The list of vulnerabilities is as follows -
CVE-2023-27351 (CVSS score: 8.2) - An improper authentication vulnerability in PaperCut NG/MF that could allow an attacker to bypass authentication on affected installations via the SecurityRequestFilter class.
CVE-2024-27199 (CVSS score: 7.3) -
Hackernews
China-Linked Storm-1175 Exploits Zero-Days to Rapidly Deploy Medusa Ransomware
blogs_hackernews·2026-04-07·CVSS 8.8
[HIGH] China-Linked Storm-1175 Exploits Zero-Days to Rapidly Deploy Medusa Ransomware
Home
Threat Intelligence
Vulnerabilities
Cyber Attacks
Webinars
Expert Insights
Awards
Webinars
Awards
Free eBooks
About THN
Jobs
Advertise with us
## China-Linked Storm-1175 Exploits Zero-Days to Rapidly Deploy Medusa Ransomware
A China-based threat actor known for deploying Medusa ransomware has been linked to the weaponization of a combination of zero-day and N-day vulnerabilities to orchestrate "high-velocity" attacks and break into susceptible internet-facing systems.
"The threat actor's high operational tempo and proficiency in identifying exposed perimeter assets have proven successful, with recent intrusions heavily impacting healthcare organizations, as well as those in the education, professional services, and finance sectors in Australia, the United Kingdom, and
Bleepingcomputer
Microsoft links Medusa ransomware affiliate to zero-day attacks
blogs_bleepingcomputer·2026-04-06·CVSS 8.8
[HIGH] Microsoft links Medusa ransomware affiliate to zero-day attacks
## Microsoft links Medusa ransomware affiliate to zero-day attacks
## Sergiu Gatlan
"The threat actor's high operational tempo and proficiency in identifying exposed perimeter assets have proven successful, with recent intrusions heavily impacting healthcare organizations, as well as those in the education, professional services, and finance sectors in Australia, United Kingdom, and United States."
Microsoft has also observed Storm-1175 operators chaining multiple exploits to gain persistence on compromised systems by creating new user accounts, deploying remote monitoring and management software, stealing credentials, and disabling security software before dropping ransomware payloads.
In October, Microsoft reported that Storm-1175 had been exploiting a maximum-severity GoAnywhere MFT
Checkpoint
11th March – Threat Intelligence Report
blogs_checkpoint·2024-03-11·CVSS 8.2
CVE-2023-46805 [HIGH] 11th March – Threat Intelligence Report
Latest Publications
CPR Podcast Channel
AI Research
Web 3.0 Security
Intelligence Reports
ThreatCloud AI
Threat Intelligence & Research
Zero Day Protection
Sandblast File Analysis
About Us
SUBSCRIBE
2026
2025
2024
2023
2022
2021
2020
2019
2018
2017
2016
## 11th March – Threat Intelligence Report
For the latest discoveries in cyber research for the week of 11th March, please download our Threat_Intelligence Bulletin .
TOP ATTACKS AND BREACHES
Cybersecurity and Infrastructure Security Agency (CISA) has taken offline two systems following a breach that occurred as a result of the recent vulnerabilities exploitation in Ivanti products. The affected systems potentially include the Infrastructure Protection Gateway and the Chemical Security Assessment Tool, holding sen
Wiz
TeamCity Authentication Bypass Vulnerabilities: An Analysis | Wiz Blog
blogs_wiz·2024-03-06·CVSS 9.8
CVE-2024-27198 [CRITICAL] TeamCity Authentication Bypass Vulnerabilities: An Analysis | Wiz Blog
On March 4, 2024, JetBrains released a patch for two critical and high severity authentication bypass vulnerabilities — CVE-2024-27198 (CVSS score: 9.8) and CVE-2024-27199 (CVSS score: 7.3). Each of these vulnerabilities may enable an unauthenticated attacker who has HTTP(s) access to a TeamCity server to bypass authentication checks and gain administrative control of the server. Exploitation attempts have been observed in the wild; it is highly recommended to upgrade TeamCity to the patched version or apply the “security patch” plugin as a workaround.
## March 10, 2024 update:
On March 7, 2024, CVE-2024-27198 was added to the CISA Known Exploited Vulnerabilities catalog based on evidence of active exploitation.
## What is CVE-2024-27198?
jetbrains.buildServer.controllers.BaseControlle
Wiz
TeamCity Authentication Bypass Vulnerabilities: An Analysis | Wiz Blog
blogs_wiz·2024-03-06·CVSS 9.8
CVE-2024-27198 [CRITICAL] TeamCity Authentication Bypass Vulnerabilities: An Analysis | Wiz Blog
On March 4, 2024, JetBrains released a patch for two critical and high severity authentication bypass vulnerabilities — CVE-2024-27198 (CVSS score: 9.8) and CVE-2024-27199 (CVSS score: 7.3). Each of these vulnerabilities may enable an unauthenticated attacker who has HTTP(s) access to a TeamCity server to bypass authentication checks and gain administrative control of the server. Exploitation attempts have been observed in the wild; it is highly recommended to upgrade TeamCity to the patched version or apply the “security patch” plugin as a workaround.
#### March 10, 2024 update:
On March 7, 2024, CVE-2024-27198 was added to the CISA Known Exploited Vulnerabilities catalog based on evidence of active exploitation.
# What is CVE-2024-27198?
This critical vulnerability allows remote unau
Tenable
CVE-2024-27198, CVE-2024-27199: Two Authentication Bypass Vulnerabilities in JetBrains TeamCity
blogs_tenable·2024-03-06·CVSS 9.8
[CRITICAL] CVE-2024-27198, CVE-2024-27199: Two Authentication Bypass Vulnerabilities in JetBrains TeamCity
## Cloud Exposure
Tenable Cloud Security (CNAPP) Request a demo
Tenable Cloud Vulnerability Management Request a demo
Tenable CIEM Request a demo
Secure your cloud
## Vulnerability Exposure
Tenable Vulnerability Management Try for free
Tenable Security Center Request a demo
Tenable Web App Scanning Try for free
Tenable Patch Management Request a demo
Tenable Enclave Security Request a demo
Tenable Attack Surface Management Request a demo
Tenable Nessus Try for free
## AI Exposure
Tenable AI Exposure Request a demo
## OT/IoT Exposure
Tenable OT Security Request a demo
## Identity Exposure
Tenable Identity Exposure Request a demo
## Business needs
Active Directory
AI Security Posture Management (AI-SPM)
AWS security
Azure security
Cloud Security Posture Man
Bleepingcomputer
Exploit available for new critical TeamCity auth bypass bug, patch now
blogs_bleepingcomputer·2024-03-04·CVSS 9.8
CVE-2024-27198 [CRITICAL] Exploit available for new critical TeamCity auth bypass bug, patch now
## Exploit available for new critical TeamCity auth bypass bug, patch now
## Ionut Ilascu
A critical vulnerability (CVE-2024-27198) in the TeamCity On-Premises CI/CD solution from JetBrains can let a remote unauthenticated attacker take control of the server with administrative permissions.
Since full technical details to create an exploit are available, administrators are strongly recommended to prioritize addressing the issue by updating to the latest version of the product or installing a security patch plugin from the vendor.
JetBrains released a new version of the product, which includes a fix for a second, less severe security issue (CVE-2024-27199) that allows modifying a limited number of system settings without the need to authenticate.
Both issues are in the web component of
Greynoiseio
The Patches & Perils Of Coordinated Vulnerability Disclosure
blogs_greynoiseio·CVSS 9.8
[CRITICAL] The Patches & Perils Of Coordinated Vulnerability Disclosure
CVE Disclosure Early Warning Get an early warning when traffic spikes indicate a high likelihood of new disclosures
Compromised Asset Detection Find out immediately if an asset communicates with a malicious IP address
Vulnerability Prioritization Get real-time insight into active exploitation trends to better understand risk and severity
SOC Efficiency Filter out noisy, low priority and false-positive alerts from mass internet scanners
Incident Investigation Add context to incidents to speed the determinations of scope and timelines
Threat Hunting Quickly identify anomalous behavior and enrich your threat hunting campaigns
Why GreyNoise
CVE Disclosure Early Warning Get an early warning when traffic spikes indicate a high likelihood of new disclosures
Compromised Asset Detection Fin
Greynoiseio
NoiseLetter March 2024
blogs_greynoiseio
NoiseLetter March 2024
CVE Disclosure Early Warning Get an early warning when traffic spikes indicate a high likelihood of new disclosures
Compromised Asset Detection Find out immediately if an asset communicates with a malicious IP address
Vulnerability Prioritization Get real-time insight into active exploitation trends to better understand risk and severity
SOC Efficiency Filter out noisy, low priority and false-positive alerts from mass internet scanners
Incident Investigation Add context to incidents to speed the determinations of scope and timelines
Threat Hunting Quickly identify anomalous behavior and enrich your threat hunting campaigns
Why GreyNoise
CVE Disclosure Early Warning Get an early warning when traffic spikes indicate a high likelihood of new disclosures
Compromised Asset Detection Fin
https://www.darkreading.com/cyberattacks-data-breaches/jetbrains-teamcity-mass-exploitation-underway-rogue-accounts-thrivehttps://www.jetbrains.com/privacy-security/issues-fixed/https://www.darkreading.com/cyberattacks-data-breaches/jetbrains-teamcity-mass-exploitation-underway-rogue-accounts-thrivehttps://www.jetbrains.com/privacy-security/issues-fixed/https://github.com/Stuub/RCity-CVE-2024-27198/blob/main/RCity.pyhttps://www.cisa.gov/known-exploited-vulnerabilities-catalog?field_cve=CVE-2024-27199
2024-03-04
Published
2026-04-20
Added to CISA KEV
Exploited in the wild