The disclosure of a critical authentication bypass vulnerability, CVE-2024-27198, in TeamCity has led to immediate exploitation by threat actors. The vulnerability, along with another high-severity flaw, CVE-2024-27199, was disclosed by JetBrains on March 4, with exploitation attempts starting the same day.
The critical vulnerability allows remote, unauthenticated attackers to gain full control of a vulnerable TeamCity server. Attackers can exploit this flaw by creating a new admin user account or by generating an admin access token. This level of access grants control over all TeamCity projects, builds, agents, and artifacts, making it a potential vector for supply chain attacks.
The disclosure process was marred by miscommunication between Rapid7, who discovered the vulnerabilities, and JetBrains. Rapid7, concerned about silent patching, published a blog post detailing its findings shortly after JetBrains announced fixes. JetBrains, on the other hand, wanted customers to install patches before details were made public, leading to confusion and premature disclosure.
Exploitation attempts targeting CVE-2024-27198 were observed on March 4, the same day the vulnerabilities were disclosed. Shadowserver Foundation reported 16 IPs scanning the internet for vulnerable servers on March 5, with proof-of-concept exploits emerging the same day. GreyNoise also tracked exploitation attempts from over a dozen unique IPs on March 4.
LeakIX reported mass exploitation of CVE-2024-27198 on March 6, with roughly 2,700 unpatched hosts initially identified, including many in the United States, Germany, and Russia. By March 6, the number of vulnerable TeamCity instances had dropped to 1,700, but 1,400 instances showed signs of rogue user creation.
It remains unclear who is behind the attacks and what their motives are. However, previous incidents have shown that TeamCity vulnerabilities have been exploited by both profit-driven cybercriminals and state-sponsored cyberspies.
The exploitation of critical vulnerabilities in TeamCity highlights the importance of timely patching and effective communication between security researchers and software vendors. Organizations using TeamCity should apply the latest patches immediately to protect against potential attacks.
