The U.S. Cybersecurity and Infrastructure Security Agency (CISA) has recently highlighted a significant security vulnerability affecting JetBrains TeamCity On-Premises software, categorizing it as a known exploited vulnerability in its catalog. This classification is based on concrete evidence of active exploitation in the wild.
The identified flaw, designated CVE-2024-27198, has a critical Common Vulnerability Scoring System (CVSS) score of 9.8. It involves an authentication bypass that can enable a remote attacker, operating without authentication, to gain full administrative access to vulnerable servers.
This issue was addressed by JetBrains earlier this week, in conjunction with another vulnerability tracked as CVE-2024-27199, which has a CVSS score of 7.3. The latter also includes an authentication bypass but is categorized as having moderate severity, allowing limited information disclosure and minor system alterations.
JetBrains has reported that these vulnerabilities may enable unauthorized users with HTTP(S) access to bypass critical authentication measures, thereby seizing administrative control of TeamCity servers. This raises significant concerns, especially for businesses relying on this software for their development processes.
Exploiting these vulnerabilities, threat actors have been detected using them to deploy Jasmin ransomware and create numerous unauthorized user accounts. Reports from CrowdStrike and LeakIX indicate that malicious actors have been actively leveraging these unpatched flaws. Additionally, the Shadowserver Foundation has noted attempts at exploitation began shortly after public disclosure on March 4, 2024.
Analysis by GreyNoise has demonstrated that CVE-2024-27198 is facing broad exploitation attempts emanating from various unique IP addresses, underscoring the urgency for organizations to address this security gap promptly.
In response to this risk, organizations utilizing on-premises versions of JetBrains TeamCity are urged to implement the security updates without delay. Federal agencies have a deadline of March 28, 2024, to ensure their systems are patched against these vulnerabilities.
