CVE-2024-27199
CVE-2024-27199 is a high-severity vulnerability in Jetbrains Teamcity with a CVSS 3.x base score of 7.3. It is listed in CISA's Known Exploited Vulnerabilities (KEV) catalog, confirming it has been exploited in the wild (added 2026-04-20). The underlying weakness is classified as CWE-22.
Key facts
- Severity: High (CVSS 3.x base score 7.3)
- EPSS exploit prediction: 100% (100th percentile)
- Actively exploited: Yes — listed in CISA KEV (added 2026-04-20)
- EU (EUVD) id: EUVD-2024-24438
- EU exploitation: Flagged exploited in the ENISA EU Vulnerability Database (since 2026-04-20)
- Weakness: CWE-22
- Affected product: Jetbrains Teamcity
- Published:
- Last modified:
Description
In JetBrains TeamCity before 2023.11.4 path traversal allowing to perform limited admin actions was possible
CVE-2024-27199: JetBrains TeamCity Path Traversal Enables Limited Admin Actions
AI-generated analysis based on the vulnerability data on this page.
| Field | Value |
|---|---|
| CVE ID | CVE-2024-27199 |
| Vendor | JetBrains |
| Product | TeamCity |
| CWE | CWE-22 (Improper Limitation of a Pathname to a Restricted Directory) |
| CVSS 3.1 | 7.3 (HIGH) — AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:L |
| EPSS | 0.99991 (99.991% probability of exploitation) |
| KEV | Yes — CISA Known Exploited Vulnerabilities Catalog |
| Published | 2024-03-04 |
| Last Modified | 2026-06-17 |
Summary
A path-traversal flaw in JetBrains TeamCity before 2023.11.4 enables unauthenticated remote attackers to reach restricted administrative endpoints by manipulating URL paths. Successful exploitation grants limited admin capabilities without valid credentials, exposing CI/CD pipelines to unauthorized access and supply-chain risk.
Background
JetBrains TeamCity is a widely adopted continuous integration and continuous deployment (CI/CD) server used by development teams to automate builds, tests, and releases. Because TeamCity often holds credentials to source-control systems, artifact repositories, and deployment targets, it is a high-value target for threat actors seeking to poison software supply chains. CVE-2024-27199 was disclosed in March 2024 alongside a related authentication-bypass vulnerability (CVE-2024-27198), and both quickly attracted mass exploitation.
Root Cause
The vulnerability is classified as CWE-22: Improper Limitation of a Pathname to a Restricted Directory. TeamCity’s web interface failed to adequately sanitize or canonicalize incoming URL paths before routing requests. By injecting directory-traversal sequences (e.g., ../ or encoded variants) into the request path, an attacker could bypass access-control checks that relied on literal path matching and reach protected administrative handlers. The root cause is therefore a validation gap at the request-dispatch layer rather than a flaw in a specific endpoint’s business logic.
Impact
The CVSS 3.1 vector CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:L translates to:
- Attack Vector: Network — Exploitable remotely without local network access.
- Attack Complexity: Low — No special conditions or race windows are required.
- Privileges Required: None — Fully unauthenticated.
- User Interaction: None — No victim action needed.
- Scope: Unchanged — The vulnerable component is the only one impacted.
- Confidentiality Impact: Low — Limited access to admin-level information.
- Integrity Impact: Low — Limited ability to alter configuration or data.
- Availability Impact: Low — Possible limited disruption, but not full denial of service.
The overall HIGH severity (7.3) is driven by the zero-authentication, network-reachable attack surface and the administrative privileges attainable, which in a CI/CD context can cascade into supply-chain compromise.
Exploitation Walkthrough
Ethics & Legal Notice: The following description is provided for defensive awareness and detection engineering only. Attempting to exploit systems without explicit authorization is illegal and unethical.
An attacker sends a crafted HTTP request to a publicly reachable TeamCity instance, embedding path-traversal sequences in the URI to reach an admin-restricted endpoint. Because the dispatcher does not canonicalize the path before evaluating access rules, the request is routed to the privileged handler and executed with elevated context. No valid session cookie or API token is required. Publicly available exploit code (e.g., RCity.py) automates this sequence, lowering the barrier for opportunistic attacks.
Defenders should treat any unauthenticated request containing .. or encoded traversal patterns targeting TeamCity URLs as suspicious, especially when the resulting response contains admin-page content or configuration data.
Affected and Patched Versions
| Status | Versions |
|---|---|
| Affected | JetBrains TeamCity before 2023.11.4 |
| Patched | JetBrains TeamCity 2023.11.4 and later |
Specific patch details are documented in JetBrains’ security advisory. If you are running a version older than 2023.11.4, assume exposure.
Remediation
- Upgrade immediately to JetBrains TeamCity 2023.11.4 or the latest supported release. This is the primary and most effective remediation.
- Apply compensating controls if patching is delayed:
- Restrict network access to TeamCity web interfaces using VPNs, IP allow-lists, or Web Application Firewalls (WAFs).
- Block or alert on URI paths containing traversal sequences (
..,%2e%2e,%252e, etc.) at the reverse-proxy or WAF layer. - Disable or limit public exposure of the TeamCity server UI; require bastion host or jump-box access.
- Rotate credentials after patching, especially CI/CD service accounts, source-control tokens, and deployment keys that TeamCity may have stored, in case of prior compromise.
Detection
- Network / WAF logs: Look for HTTP requests to TeamCity endpoints containing
..sequences, double-encoded traversal patterns, or anomalous 200-OK responses to unauthenticated admin paths. - Web server logs: Unusually large numbers of 404 or 403 errors followed by 200 responses from the same source IP may indicate traversal probing followed by successful exploitation.
- Host-based monitoring: Unexpected changes to TeamCity configuration files, new user accounts, or modified build steps without a corresponding authenticated admin session are indicators of compromise.
- Threat-intelligence feeds: Correlate source IPs against known exploit frameworks or scanning campaigns associated with CVE-2024-27199.
Assessment
With an EPSS score of 0.99991, this vulnerability sits in the top fraction of a percentile for observed exploitation probability, and its presence on the CISA KEV catalog (added 2026-04-20) confirms in-the-wild abuse. The related CVE-2024-27198 authentication bypass amplifies the threat because attackers can chain the two flaws for broader impact.
Key lessons:
- Path canonicalization is security-critical. Frameworks and custom dispatchers must resolve and normalize paths before applying access-control decisions.
- CI/CD infrastructure is tier-0 infrastructure. A compromised build server is a compromised software supply chain; unauthenticated admin access to CI/CD systems should be considered a code-red event.
References
- https://www.darkreading.com/cyberattacks-data-breaches/jetbrains-teamcity-mass-exploitation-underway-rogue-accounts-thrive
- https://www.jetbrains.com/privacy-security/issues-fixed/
- https://github.com/Stuub/RCity-CVE-2024-27198/blob/main/RCity.py
- https://www.cisa.gov/known-exploited-vulnerabilities-catalog?field_cve=CVE-2024-27199
Frequently asked questions
- What is CVE-2024-27199?
- In JetBrains TeamCity before 2023.11.4 path traversal allowing to perform limited admin actions was possible
- How severe is CVE-2024-27199?
- CVE-2024-27199 has a CVSS 3.x base score of 7.3, rated high severity. It is exploitable over network with low attack complexity, requires no privileges and no user interaction. Impact on confidentiality is low, integrity low, and availability low.
- Is CVE-2024-27199 being actively exploited?
- Yes. CVE-2024-27199 is on CISA's Known Exploited Vulnerabilities (KEV) catalog, added on 2026-04-20, which means active exploitation has been confirmed. It should be prioritised for remediation.
- What products are affected by CVE-2024-27199?
- CVE-2024-27199 affects Jetbrains Teamcity. See the affected-products list for the exact vulnerable versions.
- How do I fix CVE-2024-27199?
- Review the linked vendor and NVD advisories for patched versions and mitigations, then upgrade or apply the recommended workaround. Because this CVE is known to be actively exploited, treat remediation as urgent — CISA KEV typically sets a short remediation deadline.
- Does CVE-2024-27199 have an EU (EUVD) identifier?
- Yes. CVE-2024-27199 is tracked in the ENISA EU Vulnerability Database (EUVD) as EUVD-2024-24438. It is also flagged as exploited in the EUVD (since 2026-04-20).
- When was CVE-2024-27199 published?
- CVE-2024-27199 was published on 2024-03-04 and last updated on 2026-06-17.
References
- https://www.darkreading.com/cyberattacks-data-breaches/jetbrains-teamcity-mass-exploitation-underway-rogue-accounts-thrive
- https://www.jetbrains.com/privacy-security/issues-fixed/
- https://github.com/Stuub/RCity-CVE-2024-27198/blob/main/RCity.py
- https://www.cisa.gov/known-exploited-vulnerabilities-catalog?field_cve=CVE-2024-27199
Affected products (1)
- cpe:2.3:a:jetbrains:teamcity:*:*:*:*:*:*:*:*
More vulnerabilities in Jetbrains Teamcity
- CVE-2024-27198 — Critical (CVSS 9.8): In JetBrains TeamCity before 2023.11.4 authentication bypass allowing to perform admin actions was possible
- CVE-2024-23917 — Critical (CVSS 9.8): In JetBrains TeamCity before 2023.11.3 authentication bypass leading to RCE was possible
- CVE-2023-42793 — Critical (CVSS 9.8): In JetBrains TeamCity before 2023.05.4 authentication bypass leading to RCE on TeamCity Server was possible
- CVE-2022-25263 — Critical (CVSS 9.8): JetBrains TeamCity before 2021.2.3 was vulnerable to OS command injection in the Agent Push feature configuration.
- CVE-2022-24340 — Critical (CVSS 9.8): In JetBrains TeamCity before 2021.2.1, XXE during the parsing of the configuration file was possible.
- CVE-2022-24331 — Critical (CVSS 9.8): In JetBrains TeamCity before 2021.1.4, GitLab authentication impersonation was possible.
All CVEs affecting Jetbrains Teamcity →
Other CWE-22 (Path Traversal) vulnerabilities
- CVE-2026-48282 — Critical (CVSS 10.0): ColdFusion versions 2025.9, 2023.20 and earlier are affected by an Improper Limitation of a Pathname to a Restricted…
- CVE-2026-54917 — Critical (CVSS 10.0): SeaweedFS is a distributed storage system for object storage (S3), file systems, and Iceberg tables. Prior to 4.30, the…
- CVE-2026-11429 — Critical (CVSS 10.0): Two endpoints in the Vault Service ScriptsController, shared by Altium Enterprise Server and Altium 365, accept file…
- CVE-2026-34909 — Critical (CVSS 10.0): A malicious actor with access to the network could exploit a Path Traversal vulnerability found in UniFi OS devices to…
- CVE-2026-7411 — Critical (CVSS 10.0): In Eclipse BaSyx Java Server SDK versions prior to 2.0.0-milestone-10, inadequate path normalization in the Submodel…
- CVE-2026-36767 — Critical (CVSS 10.0): A path traversal vulnerability in the /content/images/add endpoint of shopizer v3.2.5 allows attackers write arbitrary…