CVE-2023-42793

CVE-2023-42793 is a critical-severity vulnerability in Jetbrains Teamcity with a CVSS 3.x base score of 9.8. It is listed in CISA's Known Exploited Vulnerabilities (KEV) catalog, confirming it has been exploited in the wild (added 2023-10-04). The underlying weakness is classified as CWE-306.

Key facts

Description

In JetBrains TeamCity before 2023.05.4 authentication bypass leading to RCE on TeamCity Server was possible

CVE-2023-42793: JetBrains TeamCity Authentication Bypass Leading to Remote Code Execution

AI-generated analysis based on the vulnerability data on this page.

Field Value
CVE ID CVE-2023-42793
Published 2023-09-19
CVSS v3 9.8 (CRITICAL)
CVSS Vector CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
CWE CWE-306: Missing Authentication for Critical Function
EPSS 0.99979 (99.98th percentile)
CISA KEV Listed (2023-10-04)
EU Exploited Yes (since 2023-10-04)

Summary

CVE-2023-42793 is a critical authentication bypass vulnerability in JetBrains TeamCity CI/CD servers running versions prior to 2023.05.4. The flaw allows an unauthenticated remote attacker to completely bypass authentication and gain administrative access, which can be leveraged to achieve remote code execution (RCE) on the TeamCity server. With a CVSS v3 score of 9.8 and near-certain exploitation probability (EPSS 0.99979), this vulnerability poses an extreme risk to organizations using affected TeamCity deployments.

Background

JetBrains TeamCity is a widely adopted continuous integration and continuous deployment (CI/CD) server used by development teams to automate build, test, and release pipelines. Because CI/CD servers typically have privileged access to source code repositories, build artifacts, secrets, and deployment infrastructure, they represent high-value targets for attackers. A compromise of a TeamCity server can cascade into supply-chain attacks, unauthorized code modifications, and exfiltration of sensitive credentials.

Root Cause

The vulnerability is classified under CWE-306: Missing Authentication for Critical Function. The underlying issue stems from an authentication flaw in the TeamCity web interface that allows certain REST API endpoints to be accessed without valid credentials. Specifically, the endpoint handling user creation and token generation could be reached by an unauthenticated attacker, enabling the creation of an administrative account or the extraction of an existing administrative token. Once an admin token is obtained, the attacker can abuse legitimate administrative APIs to modify server configuration, install plugins, or execute arbitrary code through build agents.

Impact

The CVSS v3 vector CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H translates to:

  • Attack Vector (AV): Network — Exploitable remotely over the internet.
  • Attack Complexity (AC): Low — No special conditions or advanced techniques required.
  • Privileges Required (PR): None — No authentication needed.
  • User Interaction (UI): None — Fully automated exploitation possible.
  • Scope (S): Unchanged — Impact remains within the vulnerable component.
  • Confidentiality (C): High — Total information disclosure.
  • Integrity (I): High — Complete data and system integrity compromise.
  • Availability (A): High — Full loss of availability possible.

The practical impact is unauthenticated remote code execution on the TeamCity server, effectively giving an attacker full control over the CI/CD environment and everything it touches.

Exploitation Walkthrough

Ethics & Legal Notice: The following description is provided for defensive awareness only. Do not attempt to exploit systems you do not own or have explicit permission to test.

The exploitation flow is conceptually straightforward:

  1. Reconnaissance: Identify a reachable TeamCity server and determine its version (via the login page or /login.html metadata).
  2. Authentication Bypass: Send a crafted HTTP request to the vulnerable REST endpoint that handles user management. Due to the missing authentication check, the server accepts the request and creates a new user account with administrative privileges.
  3. Privilege Escalation: Use the newly created admin account to generate an access token.
  4. Remote Code Execution: With admin token in hand, interact with TeamCity's plugin management or build configuration APIs to upload a malicious plugin or modify a build step to execute arbitrary system commands on the server or connected build agents.

Public exploit code and detailed technical analyses have been released by multiple security vendors, contributing to the extremely high EPSS score and rapid inclusion in CISA's Known Exploited Vulnerabilities catalog.

Affected and Patched Versions

Status Versions
Affected JetBrains TeamCity before 2023.05.4
Patched JetBrains TeamCity 2023.05.4 and later

Organizations should verify their current TeamCity version via the administration panel or the /login.html page footer.

Remediation

  1. Upgrade immediately. Apply JetBrains TeamCity version 2023.05.4 or newer. JetBrains has published a security post-mortem and fix details on their official blog.
  2. Restrict network exposure. Ensure TeamCity servers are not directly exposed to the public internet. Place them behind a VPN, corporate firewall, or reverse proxy with strong authentication.
  3. Web Application Firewall (WAF) rules. Deploy virtual-patching rules (where available) to block requests to the vulnerable endpoint patterns until patching is complete.
  4. Rotate secrets. After patching, rotate all API tokens, build agent credentials, and repository access keys stored in the TeamCity instance.
  5. Review audit logs. Inspect TeamCity access logs for suspicious user-creation events, unexpected admin logins, or unauthorized plugin uploads around the disclosure date (2023-09-19) and onward.

Detection

  • Network signatures: Monitor for unexpected HTTP POST requests to TeamCity REST endpoints related to user or token management from untrusted source IPs.
  • Host indicators: Look for newly created user accounts with admin roles, unauthorized plugins in the TeamCity plugins directory, or anomalous build step modifications.
  • Log analysis: Correlating authentication events with source IP geolocation and time-of-day baselines can help surface compromise attempts.
  • Threat-intelligence feeds: EPSS score of 0.99979 and CISA KEV listing mean this should be treated as an active, high-priority threat.

Assessment

CVE-2023-42793 is a textbook example of how a single missing authentication check on a critical endpoint can lead to total infrastructure compromise. The near-perfect EPSS score (0.99979) and rapid CISA KEV inclusion within two weeks of disclosure reflect both the severity and the ease of exploitation. For defenders, the key lesson is to treat CI/CD infrastructure as tier-zero assets—they should never be internet-facing without compensating controls, and they must be patched with the same urgency as domain controllers or VPN concentrators.

A second lesson is the value of defense-in-depth: even if the initial authentication bypass had been caught in review, limiting TeamCity's network exposure would have dramatically reduced the attack surface available to opportunistic threat actors.

References

Frequently asked questions

What is CVE-2023-42793?
In JetBrains TeamCity before 2023.05.4 authentication bypass leading to RCE on TeamCity Server was possible
How severe is CVE-2023-42793?
CVE-2023-42793 has a CVSS 3.x base score of 9.8, rated critical severity. It is exploitable over network with low attack complexity, requires no privileges and no user interaction. Impact on confidentiality is high, integrity high, and availability high.
Is CVE-2023-42793 being actively exploited?
Yes. CVE-2023-42793 is on CISA's Known Exploited Vulnerabilities (KEV) catalog, added on 2023-10-04, which means active exploitation has been confirmed. It should be prioritised for remediation.
What products are affected by CVE-2023-42793?
CVE-2023-42793 affects Jetbrains Teamcity. See the affected-products list for the exact vulnerable versions.
How do I fix CVE-2023-42793?
Review the linked vendor and NVD advisories for patched versions and mitigations, then upgrade or apply the recommended workaround. Because this CVE is known to be actively exploited, treat remediation as urgent — CISA KEV typically sets a short remediation deadline.
Does CVE-2023-42793 have an EU (EUVD) identifier?
Yes. CVE-2023-42793 is tracked in the ENISA EU Vulnerability Database (EUVD) as EUVD-2023-47222. It is also flagged as exploited in the EUVD (since 2023-10-04).
When was CVE-2023-42793 published?
CVE-2023-42793 was published on 2023-09-19 and last updated on 2026-06-17.

References

Affected products (1)

More vulnerabilities in Jetbrains Teamcity

All CVEs affecting Jetbrains Teamcity →

Other CWE-306 (Missing Authentication for Critical Function) vulnerabilities

Browse all CWE-306 (Missing Authentication for Critical Function) vulnerabilities →