CVE-2024-27198 is a critical authentication bypass vulnerability in JetBrains TeamCity On-Premises that lets an unauthenticated, remote attacker walk past login controls and provision a brand-new administrator account on a victim's build server. Once inside, an attacker inherits everything TeamCity's admin role grants: the ability to create and modify build configurations, harvest source-control and cloud-provider credentials stored in the CI/CD pipeline, and push malicious code into every downstream build that pipeline produces. Because TeamCity sits at the center of the software build and release process for thousands of engineering organizations, CVE-2024-27198 is not just a server compromise — it's a software supply chain compromise waiting to happen.
The flaw, discovered and responsibly disclosed by researchers at Rapid7, was published alongside a lower-severity path-traversal companion bug tracked as CVE-2024-27199. Within hours of public disclosure, mass internet scanning began, and multiple threat-intelligence teams later confirmed opportunistic attackers — including ransomware affiliates — using the authentication bypass to plant backdoors, deploy cryptominers, and stage follow-on intrusions. The speed and scale of that exploitation is exactly why CVE-2024-27198 remains a textbook case study in the DevSecOps nightmare of a trusted build system turned into an attacker's foothold.
Affected Versions and Components
CVE-2024-27198 affects JetBrains TeamCity On-Premises, the self-hosted edition of JetBrains' continuous integration and continuous delivery server. The vulnerability lives in TeamCity's web server component — specifically in how authentication filters process certain HTTP request paths — and impacts on-premises installations up through version 2023.11.3. JetBrains resolved the issue in TeamCity 2023.11.4.
TeamCity Cloud, JetBrains' hosted SaaS offering, was not affected, since it had already received the underlying fix ahead of the on-premises release. Any organization running a self-managed TeamCity server — a common setup for enterprises that need to keep build infrastructure inside their own network for compliance or intellectual-property reasons — should treat every pre-2023.11.4 installation as vulnerable until confirmed otherwise.
At a technical level, the bypass exists because certain URL paths in TeamCity's REST API and web interface could be crafted so that the server's authentication filter mistook an external, unauthenticated request for an internally trusted call — the kind of request TeamCity nodes normally exchange with each other in multi-node configurations. That path-confusion let an attacker reach administrative endpoints, including the ones used to create new user accounts, without ever presenting valid credentials. From there, escalating from "new admin user" to full remote code execution is straightforward in TeamCity, since administrators can install plugins and edit build steps that run arbitrary commands on connected build agents.
CVE-2024-27198: CVSS, EPSS, and KEV Status
JetBrains and Rapid7 rated CVE-2024-27198 as Critical, with a CVSS v3.1 base score of 9.8 — reflecting a network-exploitable flaw that requires no authentication and no user interaction, and that yields a complete loss of confidentiality, integrity, and availability. The companion path-traversal issue, CVE-2024-27199, received a High severity rating (CVSS 7.3); it enables a more limited authentication bypass, such as modifying a subset of server settings, but not the full administrative takeover that CVE-2024-27198 provides on its own.
Given how trivially exploitable and immediately impactful the vulnerability is, CVE-2024-27198's EPSS (Exploit Prediction Scoring System) score climbed into the highest percentile shortly after disclosure — a strong statistical signal that real-world exploitation wasn't just possible but highly likely. That prediction was borne out within days. CISA added CVE-2024-27198 to its Known Exploited Vulnerabilities (KEV) catalog soon after public disclosure, requiring U.S. federal civilian agencies to remediate on an accelerated timeline and giving every other organization a clear, authoritative signal that the flaw was already being weaponized in the wild.
Timeline of Disclosure and Exploitation
- A Rapid7 researcher identified the authentication bypass and path-traversal issues in TeamCity On-Premises and reported them to JetBrains under a coordinated disclosure process.
- JetBrains shipped the fix in TeamCity 2023.11.4 but did so without an initial public security advisory detailing the underlying vulnerabilities.
- Because the patched code could be diffed against prior releases to reverse-engineer the flaw, Rapid7 made the call to publish its own advisory and technical write-up in early March 2024, closing the window between "patch available" and "defenders informed."
- Public disclosure was followed almost immediately by internet-wide scanning for exposed, unpatched TeamCity servers, with researchers tracking thousands of still-reachable instances.
- Within days, threat-intelligence teams observed active exploitation: attackers using the bypass to create rogue admin accounts, deploy remote-access backdoors and cryptomining malware, and — in a number of documented cases — using compromised TeamCity servers as a beachhead for ransomware operations.
- CISA added CVE-2024-27198 to the Known Exploited Vulnerabilities catalog, formally confirming what the threat-intel community was already observing: this was active, not theoretical, exploitation.
This was not TeamCity's first brush with attackers who understand its value as a supply chain target. In late 2023, a separate authentication-bypass-to-RCE flaw in TeamCity, tracked as CVE-2023-42793, was linked to state-sponsored intrusion activity abusing build servers to reach downstream software customers. CVE-2024-27198 landed on security teams already primed to treat their CI/CD layer as a top-tier target, and the exploitation pattern that followed — rapid weaponization, ransomware affiliates piling on, opportunistic cryptomining alongside more targeted intrusions — has become the norm rather than the exception for critical, unauthenticated CI/CD vulnerabilities.
Remediation Steps
- Patch immediately. Upgrade every TeamCity On-Premises instance to version 2023.11.4 or later. There is no effective compensating control short of patching — this is a logic flaw in the authentication filter, not a configuration weakness a WAF rule alone can offset.
- Assume compromise if you were exposed and unpatched. If your TeamCity server was internet-facing between the disclosure date and when you applied the fix, treat it as potentially compromised. Audit the full list of administrator accounts for anything unrecognized, review logs for unexpected account creation or permission changes, and check for unfamiliar build steps, plugins, or scheduled tasks.
- Rotate every credential the build server could reach. TeamCity servers typically hold source-control tokens, artifact-repository credentials, cloud provider keys, and code-signing material. A compromised admin account can exfiltrate or abuse all of it, so rotate broadly rather than narrowly.
- Remove TeamCity from the public internet where possible. Put administrative and build-server access behind a VPN or zero-trust access proxy, and restrict inbound access to known IP ranges. An authentication bypass like CVE-2024-27198 is only remotely exploitable because the server is reachable in the first place.
- Monitor for known indicators. Cross-reference outbound connections, newly created local accounts, and process execution on build agents against published indicators of compromise from Rapid7, CISA, and other vendors tracking post-exploitation activity tied to this CVE.
- Extend scrutiny to everything the pipeline built while exposed. If an attacker had admin access to your build server, any artifact produced during that window should be treated as untrusted until verified — this is the software supply chain risk that makes CI/CD vulnerabilities categorically different from a single compromised workstation.
How Safeguard Helps
CVE-2024-27198 is a clean illustration of why software supply chain security can't stop at scanning application code for vulnerabilities — the build and delivery infrastructure itself has to be treated as part of the attack surface. Safeguard is built around that principle.
Safeguard continuously inventories the CI/CD tools, build servers, and pipeline components in your environment — including self-hosted systems like TeamCity — and maps them against known and actively exploited vulnerabilities such as CVE-2024-27198, flagging exposed or outdated instances before attackers find them. Rather than waiting on a quarterly vulnerability scan, Safeguard correlates CISA KEV listings and EPSS trends against your actual asset inventory, so a vulnerability that jumps from "interesting" to "actively weaponized" triggers an immediate, prioritized alert to your team.
Beyond detection, Safeguard helps you reason about blast radius: which repositories, secrets, and downstream artifacts a given build server can reach, so that if a TeamCity-class incident does occur, your team already knows exactly what to rotate and what to re-verify. That mapping of pipeline trust relationships is what turns "we patched it" into "we confirmed nothing malicious moved downstream while it was exposed" — the difference between closing a ticket and actually closing an incident.
For engineering organizations that depend on tools like TeamCity, Jenkins, or GitLab CI to ship software, Safeguard's supply chain monitoring is built to catch exactly this class of vulnerability — unauthenticated, trivially exploitable, and sitting at the center of the software delivery process — before it becomes the next mass-exploitation headline.