Cyber attackers have wasted no time in exploiting two recently disclosed vulnerabilities in the TeamCity CI/CD platform, with reported campaigns involving ransomware distribution and unauthorized creation of admin users. JetBrains, the developer of TeamCity, made public the vulnerabilities on March 3, leading to immediate concerns about the potential impact on the widespread use of the platform for software project automation.
One of the vulnerabilities, identified as CVE-2024-27198, presents a critical authentication bypass flaw in TeamCity’s Web component, with a severity rating of 9.8 out of 10. Security researchers at Rapid7, who discovered the vulnerability and reported it, have warned that it allows remote, unauthenticated attackers to execute arbitrary code and gain complete control over affected instances. The other vulnerability, CVE-2024-27199, is a moderate-severity authentication bypass issue in the same TeamCity Web component, enabling limited information disclosure and system modification.
With approximately 30,000 organizations relying on TeamCity to streamline their build, testing, and deployment processes in CI/CD environments, the vulnerabilities have quickly become a lucrative target for malicious actors. Greg Fitzgerald, co-founder of Sevco Security, highlights the growing trend of attackers exploiting trusted tools like TeamCity for malicious purposes, including the propagation of malicious code and systemic compromise.
Stephen Fewer, principal security researcher at Rapid7, explains how attackers can leverage the vulnerabilities to locate exposed TeamCity servers and execute attacks with relative ease. By exploiting CVE-2024-27198, for example, an attacker can create new admin accounts or access tokens, leading to full server compromise and remote code execution. This level of access enables attackers to manipulate all resources managed by TeamCity, potentially allowing for deep network penetration and persistence on compromised servers.
CrowdStrike’s threat hunting group reported instances of threat actors exploiting the vulnerabilities to deploy what appears to be a modified version of Jasmin, a ransomware simulation tool. Additionally, LeakIX detected over 1,700 exposed TeamCity instances online, with a significant number showing signs of unauthorized user account creation via CVE-2024-27198. ShadowServer.org observed exploitation activity for the vulnerabilities shortly after disclosure, emphasizing the critical need for patching vulnerable TeamCity instances to mitigate the risk of compromise.
In light of the active exploitation and potential implications of the vulnerabilities, organizations using TeamCity are urged to apply the necessary patches immediately. ShadowServer.org’s warning underscores the widespread impact of the vulnerabilities, with thousands of TeamCity instances at risk of compromise. As attackers continue to exploit security flaws in widely used platforms like TeamCity, proactive patching and security measures are essential to safeguard sensitive data and prevent unauthorized access.