CVE-2024-27198
CVE-2024-27198 is a critical-severity vulnerability in Jetbrains Teamcity with a CVSS 3.x base score of 9.8. It is listed in CISA's Known Exploited Vulnerabilities (KEV) catalog, confirming it has been exploited in the wild (added 2024-03-07). The underlying weakness is classified as CWE-288.
Key facts
- Severity: Critical (CVSS 3.x base score 9.8)
- EPSS exploit prediction: 100% (100th percentile)
- Actively exploited: Yes — listed in CISA KEV (added 2024-03-07)
- EU (EUVD) id: EUVD-2024-24437
- EU exploitation: Flagged exploited in the ENISA EU Vulnerability Database (since 2024-03-07)
- Weakness: CWE-288
- Affected product: Jetbrains Teamcity
- Published:
- Last modified:
Description
In JetBrains TeamCity before 2023.11.4 authentication bypass allowing to perform admin actions was possible
CVE-2024-27198: Critical Authentication Bypass in JetBrains TeamCity
AI-generated analysis based on the vulnerability data on this page.
| CVE | CVSS v3 | Severity | EPSS | KEV | CWE |
|---|---|---|---|---|---|
| CVE-2024-27198 | 9.8 | CRITICAL | 99.94% (0.99938) | Yes (2024-03-07) | CWE-288 |
Summary
JetBrains TeamCity, a widely-used continuous integration and continuous deployment (CI/CD) server, contains a critical authentication bypass vulnerability in versions prior to 2023.11.4. An unauthenticated remote attacker can exploit this flaw to perform administrative actions on the server, effectively gaining full control over the CI/CD pipeline. This vulnerability carries a CVSS v3 score of 9.8 and has been actively exploited in the wild since early March 2024.
Background
TeamCity is a popular CI/CD platform developed by JetBrains, used by organizations worldwide to automate build, test, and deployment workflows. Because CI/CD servers typically hold privileged access to source code repositories, build artifacts, secrets, and deployment credentials, they represent high-value targets in enterprise environments. A successful compromise of a TeamCity server can lead to supply chain attacks, source code theft, and unauthorized deployment of malicious artifacts.
Root Cause
The vulnerability is classified under CWE-288. The underlying issue stems from an authentication logic flaw in TeamCity's web interface that allows an attacker to access administrative endpoints without presenting valid credentials. The specific implementation defect creates an alternate path to privileged functionality that bypasses the standard authentication and authorization checks entirely.
Impact
With a CVSS v3 score of 9.8 (Critical) and the vector CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H, this vulnerability is network-exploitable, requires no privileges, no user interaction, and provides complete compromise of the CIA triad:
- Confidentiality: HIGH — Attackers can access build configurations, source code, secrets, and credentials stored within the TeamCity environment.
- Integrity: HIGH — Attackers can modify build pipelines, inject malicious code into build artifacts, or alter deployment configurations.
- Availability: HIGH — Attackers can disrupt CI/CD operations, delete projects, or render the server unusable.
Given that CI/CD infrastructure often sits at the heart of software supply chains, the downstream impact can extend far beyond the TeamCity instance itself.
Exploitation Walkthrough
Ethics & Legal Notice: This section describes the vulnerability mechanism from a defensive perspective only. Attempting to exploit systems without explicit authorization is illegal and unethical. The information below is intended to help defenders understand the attack surface and implement effective protections.
The exploitation of this vulnerability typically follows this pattern:
- Reconnaissance: The attacker identifies a publicly accessible TeamCity instance, often through internet scanning or by targeting known organizational CI/CD infrastructure.
- Bypass Attempt: The attacker sends a specially crafted HTTP request to an administrative endpoint, leveraging the authentication bypass flaw to access the endpoint without credentials.
- Administrative Action: Once authenticated as an administrative user, the attacker can create new projects, modify existing build configurations, extract stored secrets, or deploy malicious build agents.
- Persistence & Lateral Movement: With administrative access, the attacker may establish persistent access mechanisms, such as creating rogue user accounts, installing malicious plugins, or exfiltrating credentials to move laterally within the target environment.
Mass exploitation of this vulnerability was observed in the wild beginning March 2024, with attackers rapidly deploying automated exploitation tools against exposed TeamCity instances.
Affected and Patched Versions
| Status | Version |
|---|---|
| Affected | JetBrains TeamCity versions before 2023.11.4 |
| Patched | JetBrains TeamCity 2023.11.4 and later |
Organizations running TeamCity versions older than 2023.11.4 should assume they are vulnerable and, if internet-facing, potentially compromised.
Remediation
- Upgrade Immediately: Apply JetBrains TeamCity version 2023.11.4 or later as soon as possible. JetBrains has released patches addressing this authentication bypass.
- Network Segmentation: Restrict network access to TeamCity administrative interfaces to authorized internal IP ranges only. Do not expose TeamCity directly to the internet unless absolutely necessary.
- Reverse Proxy & WAF: Place TeamCity behind a reverse proxy with Web Application Firewall (WAF) rules that can detect and block anomalous requests to administrative endpoints.
- Credential Rotation: After patching, rotate all credentials, API keys, and secrets stored within the TeamCity environment, as they may have been compromised during the exposure window.
- Audit Build Pipelines: Review recent build history and configuration changes for unauthorized modifications, new projects, or unexpected build agent registrations.
Detection
Defenders should monitor for the following indicators:
- Unusual HTTP requests to administrative endpoints from unknown IP addresses without prior authentication.
- New administrative user accounts or API tokens created outside of normal change management windows.
- Unexpected build agent registrations or connections from unauthorized hosts.
- Anomalous build executions or configuration modifications in TeamCity audit logs.
- Network scans targeting TeamCity default ports from suspicious IP ranges.
Assessment
This vulnerability represents a textbook example of why internet-facing CI/CD infrastructure is a critical attack surface. With an EPSS score of 0.99938 (99.94th percentile), the probability of exploitation is virtually certain for exposed instances. The inclusion in CISA's Known Exploited Vulnerabilities catalog and the EU's exploited vulnerability database confirms that threat actors are actively and successfully targeting this flaw.
Key lessons:
- Authentication is a non-negotiable boundary. A single bypass flaw in authentication logic can collapse an entire security model, especially for systems that gate access to production pipelines and secrets.
- Patch velocity matters. The window between disclosure and mass exploitation was extremely narrow. Organizations with exposed CI/CD infrastructure must have emergency patching procedures that can operate on hours, not days.
References
Frequently asked questions
- What is CVE-2024-27198?
- In JetBrains TeamCity before 2023.11.4 authentication bypass allowing to perform admin actions was possible
- How severe is CVE-2024-27198?
- CVE-2024-27198 has a CVSS 3.x base score of 9.8, rated critical severity. It is exploitable over network with low attack complexity, requires no privileges and no user interaction. Impact on confidentiality is high, integrity high, and availability high.
- Is CVE-2024-27198 being actively exploited?
- Yes. CVE-2024-27198 is on CISA's Known Exploited Vulnerabilities (KEV) catalog, added on 2024-03-07, which means active exploitation has been confirmed. It should be prioritised for remediation.
- What products are affected by CVE-2024-27198?
- CVE-2024-27198 affects Jetbrains Teamcity. See the affected-products list for the exact vulnerable versions.
- How do I fix CVE-2024-27198?
- Review the linked vendor and NVD advisories for patched versions and mitigations, then upgrade or apply the recommended workaround. Because this CVE is known to be actively exploited, treat remediation as urgent — CISA KEV typically sets a short remediation deadline.
- Does CVE-2024-27198 have an EU (EUVD) identifier?
- Yes. CVE-2024-27198 is tracked in the ENISA EU Vulnerability Database (EUVD) as EUVD-2024-24437. It is also flagged as exploited in the EUVD (since 2024-03-07).
- When was CVE-2024-27198 published?
- CVE-2024-27198 was published on 2024-03-04 and last updated on 2026-06-17.
References
- https://www.darkreading.com/cyberattacks-data-breaches/jetbrains-teamcity-mass-exploitation-underway-rogue-accounts-thrive
- https://www.jetbrains.com/privacy-security/issues-fixed/
- https://www.cisa.gov/known-exploited-vulnerabilities-catalog?field_cve=CVE-2024-27198
Affected products (1)
- cpe:2.3:a:jetbrains:teamcity:*:*:*:*:*:*:*:*
More vulnerabilities in Jetbrains Teamcity
- CVE-2024-23917 — Critical (CVSS 9.8): In JetBrains TeamCity before 2023.11.3 authentication bypass leading to RCE was possible
- CVE-2023-42793 — Critical (CVSS 9.8): In JetBrains TeamCity before 2023.05.4 authentication bypass leading to RCE on TeamCity Server was possible
- CVE-2022-25263 — Critical (CVSS 9.8): JetBrains TeamCity before 2021.2.3 was vulnerable to OS command injection in the Agent Push feature configuration.
- CVE-2022-24340 — Critical (CVSS 9.8): In JetBrains TeamCity before 2021.2.1, XXE during the parsing of the configuration file was possible.
- CVE-2022-24331 — Critical (CVSS 9.8): In JetBrains TeamCity before 2021.1.4, GitLab authentication impersonation was possible.
- CVE-2021-43202 — Critical (CVSS 9.8): In JetBrains TeamCity before 2021.1.3, the X-Frame-Options header is missing in some cases.
All CVEs affecting Jetbrains Teamcity →
Other CWE-288 vulnerabilities
- CVE-2026-53622 — Critical (CVSS 10.0): Traefik is an HTTP reverse proxy and load balancer. Prior to 3.7.3, there is a critical vulnerability in Traefik's…
- CVE-2026-48491 — Critical (CVSS 10.0): Traefik is an HTTP reverse proxy and load balancer. From 3.7.0 until 3.7.3, there is a high severity vulnerability in…
- CVE-2026-48020 — Critical (CVSS 10.0): Traefik is an HTTP reverse proxy and load balancer. Prior to 2.11.48, 3.6.19, and 3.7.3, there is a high severity…
- CVE-2026-20079 — Critical (CVSS 10.0): A vulnerability in the web interface of Cisco Secure Firewall Management Center (FMC) Software could allow an…
- CVE-2024-10081 — Critical (CVSS 10.0): CodeChecker is an analyzer tooling, defect database and viewer extension for the Clang Static Analyzer and Clang Tidy.…
- CVE-2024-2973 — Critical (CVSS 10.0): An Authentication Bypass Using an Alternate Path or Channel vulnerability in Juniper Networks Session Smart Router or…