Two recently disclosed vulnerabilities in JetBrains’ TeamCity On-Premises continuous integration and continuous delivery (CI/CD) server are now targeted by threat actors.
Tracked as CVE-2024-27198 and CVE-2024-27199, the flaws are described as an improper authentication issue, which could lead to the system takeover. The flaws may allow an unauthenticated attacker with HTTP(S) access to a TeamCity server to bypass authentication checks and gain administrative control of that TeamCity server.
The flaws impact all TeamCity On-Premises versions through 2023.11.3. The issues have been fixed in version 2023.11.4.
JetBrains released a patch to address both flaws. Customers are recommended to apply fixes as soon as possible, given that several nation-state threat actors, including Russian APT29 and North Korean Lazarus and Andariel, as well as ransomware gangs, have been seen abusing TeamCity bugs in the past.
Moreover, security researchers are already observing attempts to exploit CVE-2024-27198, with the first attacks spotted on March 5, 2024. According to data from cybersecurity firm Cyble, there are over 1,770 internet-exposed TeamCity instances, with the majority of them located in the US and Germany.
“Threat actors attempting to exploit vulnerabilities within 24-48 hours of its public disclosure indicates weaponizing publicly available proof-of-concepts, and exploits. The swift action by threat actors challenges the time frame typically required for the organizations to implement patches effectively and emphasize on the proactive countermeasures,” Cyble said.
Furthermore, the researchers say that Initial Access Brokers (IAB) are offering access to compromised TeamCity servers on hacker forums.
The Shadowserver Foundation, a nonprofit cybersecurity organization, said it also detected exploitation activity for CVE-2024-27198 and CVE-2024-27199, coming from 16 IP addresses.
