CVE-2023-42793
CVE-2023-42793 is a critical-severity vulnerability in Jetbrains Teamcity with a CVSS 3.x base score of 9.8. It is listed in CISA's Known Exploited Vulnerabilities (KEV) catalog, confirming it has been exploited in the wild (added 2023-10-04). The underlying weakness is classified as CWE-306.
Key facts
- Severity: Critical (CVSS 3.x base score 9.8)
- EPSS exploit prediction: 100% (100th percentile)
- Actively exploited: Yes — listed in CISA KEV (added 2023-10-04)
- EU (EUVD) id: EUVD-2023-47222
- EU exploitation: Flagged exploited in the ENISA EU Vulnerability Database (since 2023-10-04)
- Weakness: CWE-306
- Affected product: Jetbrains Teamcity
- Published:
- Last modified:
Description
In JetBrains TeamCity before 2023.05.4 authentication bypass leading to RCE on TeamCity Server was possible
CVE-2023-42793: JetBrains TeamCity Authentication Bypass Leading to Remote Code Execution
AI-generated analysis based on the vulnerability data on this page.
| Field | Value |
|---|---|
| CVE ID | CVE-2023-42793 |
| Published | 2023-09-19 |
| CVSS v3 | 9.8 (CRITICAL) |
| CVSS Vector | CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H |
| CWE | CWE-306: Missing Authentication for Critical Function |
| EPSS | 0.99979 (99.98th percentile) |
| CISA KEV | Listed (2023-10-04) |
| EU Exploited | Yes (since 2023-10-04) |
Summary
CVE-2023-42793 is a critical authentication bypass vulnerability in JetBrains TeamCity CI/CD servers running versions prior to 2023.05.4. The flaw allows an unauthenticated remote attacker to completely bypass authentication and gain administrative access, which can be leveraged to achieve remote code execution (RCE) on the TeamCity server. With a CVSS v3 score of 9.8 and near-certain exploitation probability (EPSS 0.99979), this vulnerability poses an extreme risk to organizations using affected TeamCity deployments.
Background
JetBrains TeamCity is a widely adopted continuous integration and continuous deployment (CI/CD) server used by development teams to automate build, test, and release pipelines. Because CI/CD servers typically have privileged access to source code repositories, build artifacts, secrets, and deployment infrastructure, they represent high-value targets for attackers. A compromise of a TeamCity server can cascade into supply-chain attacks, unauthorized code modifications, and exfiltration of sensitive credentials.
Root Cause
The vulnerability is classified under CWE-306: Missing Authentication for Critical Function. The underlying issue stems from an authentication flaw in the TeamCity web interface that allows certain REST API endpoints to be accessed without valid credentials. Specifically, the endpoint handling user creation and token generation could be reached by an unauthenticated attacker, enabling the creation of an administrative account or the extraction of an existing administrative token. Once an admin token is obtained, the attacker can abuse legitimate administrative APIs to modify server configuration, install plugins, or execute arbitrary code through build agents.
Impact
The CVSS v3 vector CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H translates to:
- Attack Vector (AV): Network — Exploitable remotely over the internet.
- Attack Complexity (AC): Low — No special conditions or advanced techniques required.
- Privileges Required (PR): None — No authentication needed.
- User Interaction (UI): None — Fully automated exploitation possible.
- Scope (S): Unchanged — Impact remains within the vulnerable component.
- Confidentiality (C): High — Total information disclosure.
- Integrity (I): High — Complete data and system integrity compromise.
- Availability (A): High — Full loss of availability possible.
The practical impact is unauthenticated remote code execution on the TeamCity server, effectively giving an attacker full control over the CI/CD environment and everything it touches.
Exploitation Walkthrough
Ethics & Legal Notice: The following description is provided for defensive awareness only. Do not attempt to exploit systems you do not own or have explicit permission to test.
The exploitation flow is conceptually straightforward:
- Reconnaissance: Identify a reachable TeamCity server and determine its version (via the login page or
/login.htmlmetadata). - Authentication Bypass: Send a crafted HTTP request to the vulnerable REST endpoint that handles user management. Due to the missing authentication check, the server accepts the request and creates a new user account with administrative privileges.
- Privilege Escalation: Use the newly created admin account to generate an access token.
- Remote Code Execution: With admin token in hand, interact with TeamCity's plugin management or build configuration APIs to upload a malicious plugin or modify a build step to execute arbitrary system commands on the server or connected build agents.
Public exploit code and detailed technical analyses have been released by multiple security vendors, contributing to the extremely high EPSS score and rapid inclusion in CISA's Known Exploited Vulnerabilities catalog.
Affected and Patched Versions
| Status | Versions |
|---|---|
| Affected | JetBrains TeamCity before 2023.05.4 |
| Patched | JetBrains TeamCity 2023.05.4 and later |
Organizations should verify their current TeamCity version via the administration panel or the /login.html page footer.
Remediation
- Upgrade immediately. Apply JetBrains TeamCity version 2023.05.4 or newer. JetBrains has published a security post-mortem and fix details on their official blog.
- Restrict network exposure. Ensure TeamCity servers are not directly exposed to the public internet. Place them behind a VPN, corporate firewall, or reverse proxy with strong authentication.
- Web Application Firewall (WAF) rules. Deploy virtual-patching rules (where available) to block requests to the vulnerable endpoint patterns until patching is complete.
- Rotate secrets. After patching, rotate all API tokens, build agent credentials, and repository access keys stored in the TeamCity instance.
- Review audit logs. Inspect TeamCity access logs for suspicious user-creation events, unexpected admin logins, or unauthorized plugin uploads around the disclosure date (2023-09-19) and onward.
Detection
- Network signatures: Monitor for unexpected HTTP POST requests to TeamCity REST endpoints related to user or token management from untrusted source IPs.
- Host indicators: Look for newly created user accounts with admin roles, unauthorized plugins in the TeamCity plugins directory, or anomalous build step modifications.
- Log analysis: Correlating authentication events with source IP geolocation and time-of-day baselines can help surface compromise attempts.
- Threat-intelligence feeds: EPSS score of 0.99979 and CISA KEV listing mean this should be treated as an active, high-priority threat.
Assessment
CVE-2023-42793 is a textbook example of how a single missing authentication check on a critical endpoint can lead to total infrastructure compromise. The near-perfect EPSS score (0.99979) and rapid CISA KEV inclusion within two weeks of disclosure reflect both the severity and the ease of exploitation. For defenders, the key lesson is to treat CI/CD infrastructure as tier-zero assets—they should never be internet-facing without compensating controls, and they must be patched with the same urgency as domain controllers or VPN concentrators.
A second lesson is the value of defense-in-depth: even if the initial authentication bypass had been caught in review, limiting TeamCity's network exposure would have dramatically reduced the attack surface available to opportunistic threat actors.
References
- https://blog.jetbrains.com/teamcity/2023/09/cve-2023-42793-vulnerability-post-mortem/
- https://www.jetbrains.com/privacy-security/issues-fixed/
- https://www.rapid7.com/blog/post/2023/09/25/etr-cve-2023-42793-critical-authentication-bypass-in-jetbrains-teamcity-ci-cd-servers/
- https://www.sonarsource.com/blog/teamcity-vulnerability/
- https://www.cisa.gov/known-exploited-vulnerabilities-catalog?field_cve=CVE-2023-42793
- https://attackerkb.com/topics/1XEEEkGHzt/cve-2023-42793
- http://packetstormsecurity.com/files/174860/JetBrains-TeamCity-Unauthenticated-Remote-Code-Execution.html
- https://www.securityweek.com/recently-patched-teamcity-vulnerability-exploited-to-hack-servers/
Frequently asked questions
- What is CVE-2023-42793?
- In JetBrains TeamCity before 2023.05.4 authentication bypass leading to RCE on TeamCity Server was possible
- How severe is CVE-2023-42793?
- CVE-2023-42793 has a CVSS 3.x base score of 9.8, rated critical severity. It is exploitable over network with low attack complexity, requires no privileges and no user interaction. Impact on confidentiality is high, integrity high, and availability high.
- Is CVE-2023-42793 being actively exploited?
- Yes. CVE-2023-42793 is on CISA's Known Exploited Vulnerabilities (KEV) catalog, added on 2023-10-04, which means active exploitation has been confirmed. It should be prioritised for remediation.
- What products are affected by CVE-2023-42793?
- CVE-2023-42793 affects Jetbrains Teamcity. See the affected-products list for the exact vulnerable versions.
- How do I fix CVE-2023-42793?
- Review the linked vendor and NVD advisories for patched versions and mitigations, then upgrade or apply the recommended workaround. Because this CVE is known to be actively exploited, treat remediation as urgent — CISA KEV typically sets a short remediation deadline.
- Does CVE-2023-42793 have an EU (EUVD) identifier?
- Yes. CVE-2023-42793 is tracked in the ENISA EU Vulnerability Database (EUVD) as EUVD-2023-47222. It is also flagged as exploited in the EUVD (since 2023-10-04).
- When was CVE-2023-42793 published?
- CVE-2023-42793 was published on 2023-09-19 and last updated on 2026-06-17.
References
- http://packetstormsecurity.com/files/174860/JetBrains-TeamCity-Unauthenticated-Remote-Code-Execution.html
- https://attackerkb.com/topics/1XEEEkGHzt/cve-2023-42793
- https://blog.jetbrains.com/teamcity/2023/09/cve-2023-42793-vulnerability-post-mortem/
- https://www.jetbrains.com/privacy-security/issues-fixed/
- https://www.rapid7.com/blog/post/2023/09/25/etr-cve-2023-42793-critical-authentication-bypass-in-jetbrains-teamcity-ci-cd-servers/
- https://www.securityweek.com/recently-patched-teamcity-vulnerability-exploited-to-hack-servers/
- https://www.sonarsource.com/blog/teamcity-vulnerability/
- https://www.cisa.gov/known-exploited-vulnerabilities-catalog?field_cve=CVE-2023-42793
Affected products (1)
- cpe:2.3:a:jetbrains:teamcity:*:*:*:*:*:*:*:*
More vulnerabilities in Jetbrains Teamcity
- CVE-2024-27198 — Critical (CVSS 9.8): In JetBrains TeamCity before 2023.11.4 authentication bypass allowing to perform admin actions was possible
- CVE-2024-23917 — Critical (CVSS 9.8): In JetBrains TeamCity before 2023.11.3 authentication bypass leading to RCE was possible
- CVE-2022-25263 — Critical (CVSS 9.8): JetBrains TeamCity before 2021.2.3 was vulnerable to OS command injection in the Agent Push feature configuration.
- CVE-2022-24340 — Critical (CVSS 9.8): In JetBrains TeamCity before 2021.2.1, XXE during the parsing of the configuration file was possible.
- CVE-2022-24331 — Critical (CVSS 9.8): In JetBrains TeamCity before 2021.1.4, GitLab authentication impersonation was possible.
- CVE-2021-43202 — Critical (CVSS 9.8): In JetBrains TeamCity before 2021.1.3, the X-Frame-Options header is missing in some cases.
All CVEs affecting Jetbrains Teamcity →
Other CWE-306 (Missing Authentication for Critical Function) vulnerabilities
- CVE-2026-54309 — Critical (CVSS 10.0): n8n is an open source workflow automation platform. Prior to 2.25.7 and 2.26.2, when @n8n/mcp-browser is run in HTTP…
- CVE-2026-50242 — Critical (CVSS 10.0): In JetBrains Hub before 2026.1.13757, 2025.3.148033, 2025.2.148048, 2025.1.148120, 2024.3.148430, 2024.2.148429…
- CVE-2026-49257 — Critical (CVSS 10.0): mcp-pinot is a Python-based Model Context Protocol (MCP) server for interacting with Apache Pinot. In versions 3.0.1…
- CVE-2026-46846 — Critical (CVSS 10.0): Vulnerability in the Oracle WebCenter Portal product of Oracle Fusion Middleware (component: Security Framework).…
- CVE-2026-46803 — Critical (CVSS 10.0): Vulnerability in the Oracle WebCenter Portal product of Oracle Fusion Middleware (component: Security Framework).…
- CVE-2026-46800 — Critical (CVSS 10.0): Vulnerability in the Oracle WebCenter Sites product of Oracle Fusion Middleware (component: WebCenter Sites).…
Browse all CWE-306 (Missing Authentication for Critical Function) vulnerabilities →