JetBrains issues alert about a critical vulnerability found in on-site TeamCity server systems
Critical Security Vulnerability Discovered in JetBrains TeamCity
A critical security vulnerability, known as CVE-2024-27198, has been identified in JetBrains TeamCity, a popular software development platform used by more than 15.9 million developers worldwide and 90% of the Fortune 100. This vulnerability is an authentication bypass flaw in the web component of TeamCity, allowing attackers to gain unauthorized access to the CI/CD server, potentially leading to remote code execution and other severe impacts.
Details and Impact
The vulnerability enables attackers to bypass authentication controls, effectively gaining unauthorized administrative access. Exploitation could allow unauthorized users to execute arbitrary code, manipulate builds, alter configurations, or access sensitive data stored on the server. This vulnerability specifically targets the web interface used for continuous integration and deployment operations.
Discovered and disclosed in late 2023 or early 2024, the vulnerability has been tracked as a zero-day vulnerability at times due to rapid exploitation risk. It affects on-premises TeamCity instances.
Mitigation Steps
JetBrains has released updates as part of TeamCity version 2025.07.1 and related security bulletins that address this vulnerability and other issues. Affected users are advised to update TeamCity to the latest available version, preferably 2025.07.1 or later, where the vulnerability is fixed.
In addition to updating, JetBrains recommends reviewing their security bulletins for detailed advisories on this and other security patches. Network-level protections such as limiting access to the TeamCity web interface to trusted IPs are also suggested. Regular auditing of user accounts and access privileges within TeamCity, as well as monitoring for any signs of compromise or unusual activity associated with the TeamCity instance, are also essential steps.
Additional Recommendations
To further secure TeamCity, JetBrains advises maintaining timely patching practices for all CI/CD infrastructure components. Using multi-factor authentication and other access control enhancements, if supported by the platform, is also recommended. Following best practices for securing build environments, such as network segmentation and minimal privilege, is crucial.
Impact on Customers
Customers with internet-facing servers that can't upgrade or access the plugin are advised to temporarily disconnect until all mitigation steps are completed. JetBrains urges all customers to upgrade to version 2023.11.3, where the vulnerability has been fixed.
The threat group Midnight Blizzard, linked to the 2020 Sunburst supply chain attacks, has targeted unpatched TeamCity servers globally. This trendline does not provide specific facts related to the evolving role of CISOs.
JetBrains also plans to release additional technical details on the new vulnerability and offers a security plugin as a solution for customers unable to upgrade. As of now, JetBrains is not aware of any specific exploitation activity linked to the new vulnerability. However, the company has warned of a critical security vulnerability (CVSS score 9.8) in TeamCity On-Premises, disclosed on January 19. It's essential for users to prioritize updating their TeamCity instances to the latest versions and following JetBrains’ security guidance to mitigate the risks associated with this critical vulnerability.
- The critical security vulnerability, referred to as CVE-2024-27198, discovered in JetBrains TeamCity, poses a significant threat as it allows malware to exploit the authentication bypass flaw in the web component, potentially leading to remote code execution and other severe impacts on the CI/CD server.
- Mitigation of the discovered security vulnerability requires immediate attention from cybersecurity professionals and TeamCity users alike. JetBrains strongly advises users to update their TeamCity instances to the latest versions, follow best practices for cybersecurity technology, including network-level protections and regular audits, to prevent potential exploitation of the vulnerability.
