CVE-2024-27198 and CVE-2024-27199 Detection: Critical Vulnerabilities in JetBrains TeamCity Pose Escalating Risks with Exploits Underway

A couple of months after the massive exploitation of CVE-2023-42793, novel critical vulnerabilities in JetBrains TeamCity came into the spotlight, exposing affected users to the risks of the complete compromise of the impacted systems. Tracked as CVE-2024-27198 and CVE-2024-27199, the discovered security flaws can give unauthenticated attackers the green light to gain administrative control of the server. With the CVE-2024-27198 PoC exploits publicly available and more underway, defenders warn organizations and individual users of the growing risks of in-the-wild attacks weaponizing these flaws. 

Detect CVE-2024-27198 and CVE-2024-27199 Exploitation Attempts

In light of the escalating risks of exploitation attempts of security vulnerabilities in JetBrains TeamCity, including the newly discovered critical flaws tracked as CVE-2024-27198 and CVE-2024-2719, it’s imperative for defenders to take immediate action to proactively defend against adversary intrusions. SOC Prime Team has recently released a new detection algorithm to detect CVE-2024-27198 and CVE-2024-2719 exploitation attempts. Log in to the SOC Prime Platform to reach the dedicated content item based on the recently released PoC code:

Possible CVE-2024-27198/CVE-2024-27199 (JetBrains TeamCity Authentication Bypass) Exploitation Attempt (via webserver)

The detection is aligned with MITRE ATT&CK® v.14.1 addressing the Initial Access tactic and the corresponding Exploit Public-Facing Application (T1190) technique. The detection algorithm is compatible with 18 cloud and on-prem security analytics platforms to simplify cross-platform query translation. 

Organizations seeking to boost their cyber resilience against emerging threats of any scale, including critical vulnerabilities that are constantly challenging defenders, can leverage the entire collection of detection ideas for CVEs by clicking the Explore Detections button. All detection algorithms are enhanced with comprehensive metadata and tailored intelligence to shave seconds off threat investigation.

Explore Detections

CVE-2024-27198 and CVE-2024-27199 Analysis

In February 2024, Rapid7 researchers uncovered and reported two novel critical authentication bypass vulnerabilities impacting the JetBrains TeamCity CI/CD server. The flaws known as CVE-2024-27198 and CVE-2024-27199 allow attackers with HTTP(S) access to a TeamCity server to bypass authentication checks and gain administrative control over the compromised server. CVE-2024-27198 with a CVSS score reaching 9.8 is a flaw in the web component of TeamCity stemming from an alternative path issue, while CVE-2024-27199 is a less severe vulnerability with a CVSS score of 7.3 that stems from a path traversal issue.

​​CVE-2024-27198 can result in the full compromise of a targeted TeamCity server, potentially leading to RCE and giving attackers the green light to launch a supply chain attack. As for CVE-2024-27199, it can be weaponized by adversaries to launch DoS attacks or intercept client connections.

The vulnerabilities impacting all TeamCity On-Premises versions up to 2023.11.3 have been patched in the most recent version 2023.11.4. To minimize the risks of potential attacks, the vendor also released a security patch plugin to enable customers who cannot upgrade to the latest version to safeguard their environment from related threats.

With the ​​CVE-2024-27198 PoC exploit code publicly accessible on GitHub, the risks of attacks leading to the full server takeover are growing, which fuels ultra-responsiveness from defenders. Leveraging SOC Prime’s Attack Detective, security engineers can elevate the organization’s cybersecurity posture by timely identifying cyber defense blind spots, identifying proper data to collect to address these gaps and optimize SIEM ROI, and prioritizing detection procedures before adversaries have a chance to strike.