Safeguard
DevSecOps

TeamCity Authentication Bypass Exploited by Nation-State ...

A critical TeamCity authentication bypass, CVE-2023-42793, let APT29 and North Korean hackers seize build servers for supply chain attacks.

Priya Mehta
DevSecOps Engineer
7 min read

On September 21, 2023, JetBrains and independent researchers disclosed CVE-2023-42793, a critical authentication bypass vulnerability in TeamCity On-Premises that lets an unauthenticated attacker with HTTP(S) access to a vulnerable server seize full administrative control — no credentials, no user interaction, no prior access required. Within days, CISA, the FBI, and international partners confirmed that Russian and North Korean state-sponsored groups were already exploiting it in the wild, using compromised build servers as a foothold for espionage and software supply chain attacks. For a CI/CD platform that sits at the center of an organization's build and release pipeline, that combination — trivial exploitation plus nation-state interest — made CVE-2023-42793 one of the most consequential DevOps security incidents of 2023.

This post breaks down what CVE-2023-42793 is, who was affected, how it was exploited, and what teams running TeamCity should do now if they haven't already remediated.

What Is CVE-2023-42793?

TeamCity is a popular continuous integration and continuous delivery (CI/CD) server built by JetBrains, used by organizations to build, test, and deploy software. CVE-2023-42793 is an authentication bypass vulnerability in the TeamCity web server component that allows an attacker to circumvent authentication checks entirely and reach privileged administrative functionality.

The root cause lies in how certain REST API endpoints handled request paths, allowing an unauthenticated actor to reach internal functionality normally reserved for authenticated administrators. From there, an attacker can create a new administrator account, and from an admin account TeamCity offers multiple straightforward paths to remote code execution — for example, by configuring a build step or installing a plugin that executes arbitrary code on the underlying host. In practical terms, an internet-exposed, unpatched TeamCity server could go from "unauthenticated attacker connects" to "attacker has a shell on the build server" in a matter of minutes.

Because TeamCity servers routinely hold source code access, build secrets, signing keys, and deployment credentials, compromising one isn't just a server breach — it's a potential foothold into everything that server builds and ships. That is precisely why this authentication bypass drew the attention of nation-state operators rather than opportunistic criminals alone.

Affected Versions and Components

CVE-2023-42793 affects TeamCity On-Premises, all versions up to and including 2023.05.3. The vulnerability resides in the core TeamCity web/REST server component, meaning it is not tied to a specific plugin or optional feature — any exposed on-premises instance in the affected range was vulnerable by default.

JetBrains TeamCity Cloud was not affected, since JetBrains manages patching and network exposure for cloud-hosted instances directly. The risk was specific to self-hosted, on-premises deployments — particularly those reachable from the internet, which security researchers found numbered in the thousands at the time of disclosure.

JetBrains fixed the vulnerability in TeamCity 2023.05.4, released alongside the public disclosure.

CVSS Score, EPSS, and KEV Status

CVE-2023-42793 carries a CVSS v3.1 base score of 9.8 (Critical), reflecting the combination of network-based attack vector, low attack complexity, no privileges required, no user interaction, and high impact to confidentiality, integrity, and availability. It's about as severe as a scoring system can rate a vulnerability short of built-in wormability.

The Exploit Prediction Scoring System (EPSS) for CVE-2023-42793 has consistently placed it in the highest percentile of vulnerabilities tracked, which is unsurprising given the volume of documented, sustained exploitation by multiple distinct threat actors rather than isolated proof-of-concept activity.

Given active exploitation confirmed almost immediately after disclosure, CISA added CVE-2023-42793 to its Known Exploited Vulnerabilities (KEV) catalog, which triggered mandatory remediation deadlines for U.S. federal civilian agencies under Binding Operational Directive 22-01. For any organization tracking KEV status as part of its vulnerability management program, this vulnerability should have been treated as an emergency patch, not a routine ticket.

Timeline of Disclosure and Exploitation

  • Discovery and private disclosure: Researchers at Sonar identified the authentication bypass in TeamCity and privately reported it to JetBrains.
  • September 2023 — Patch released: JetBrains shipped TeamCity 2023.05.4, fixing the flaw, and urged all on-premises customers to update immediately, initially withholding full technical detail to slow attacker reverse-engineering.
  • September 21, 2023 — Full disclosure and CVE-2023-42793 published: Technical details of the authentication bypass were published, and the vulnerability was formally tracked as CVE-2023-42793. CISA, the FBI, and international CERT partners issued a joint cybersecurity advisory the same week, attributing active exploitation to APT29 (also known as Midnight Blizzard or Cozy Bear), the Russian intelligence-linked group associated with the SolarWinds supply chain compromise.
  • Late September–October 2023 — Additional nation-state activity confirmed: Microsoft's threat intelligence team reported that North Korean state-sponsored groups, tracked as Diamond Sleet and Onyx Sleet, were separately exploiting unpatched TeamCity servers, in several cases to conduct software supply chain attacks by injecting malicious code into build processes and deploying custom backdoors and malware loaders on compromised infrastructure.
  • Ongoing scanning and exploitation: Security researchers and honeypot telemetry continued to observe mass scanning and opportunistic exploitation of unpatched TeamCity instances for months after disclosure, as is typical for any critical, unauthenticated, internet-facing bug once it becomes public.

The involvement of two separate, well-resourced nation-state actors — one Russian, one North Korean — targeting the same authentication bypass within weeks of each other underscores how attractive CI/CD infrastructure has become as a supply chain attack vector. Compromising a build server isn't just about stealing data from one victim; it's a potential pivot point into every downstream customer and system that consumes software built on that pipeline.

Remediation Steps

If you run TeamCity On-Premises, treat this as an assumed-breach scenario until proven otherwise, given how long this vulnerability was actively exploited before and immediately after disclosure.

  1. Patch immediately. Upgrade to TeamCity 2023.05.4 or later. JetBrains has since released newer versions with additional hardening; always run a current, supported release.
  2. Assume compromise if you were exposed and unpatched. If your TeamCity server was internet-facing and unpatched during the exploitation window, audit for indicators of compromise: unexpected administrator accounts, unfamiliar plugins, modified build configurations, unrecognized scheduled tasks, or anomalous outbound connections from the build host.
  3. Rotate secrets. Rotate any credentials, API tokens, signing keys, or SSH keys accessible to or stored within the TeamCity server, since an attacker with admin access could have exfiltrated them.
  4. Review build artifacts and pipeline integrity. Given the confirmed supply chain motive of the actors exploiting this bug, verify that build outputs, container images, and release artifacts produced during the exposure window have not been tampered with.
  5. Restrict network exposure. Where possible, place TeamCity servers behind a VPN or IP allowlist rather than exposing the web UI and REST API directly to the internet — this authentication bypass is a strong reminder that "authentication required" is not a substitute for network-level access control on CI/CD infrastructure.
  6. Enable and monitor audit logging. Ensure TeamCity's audit log is enabled and forwarded to your SIEM so that administrative account creation and configuration changes are detectable in near real time going forward.

How Safeguard Helps

CVE-2023-42793 is a textbook illustration of why software supply chain security can't stop at scanning application dependencies — the build and CI/CD infrastructure itself is high-value attacker terrain, and nation-state actors have proven they know it.

Safeguard is built to close exactly this gap. Our platform continuously monitors your software supply chain — including CI/CD systems like TeamCity, Jenkins, and GitHub Actions — for exploitable vulnerabilities like this authentication bypass, correlating CVE, CVSS, EPSS, and CISA KEV data so your team can prioritize patches based on real exploitation risk rather than raw severity scores alone. When a vulnerability like CVE-2023-42793 is added to KEV, Safeguard flags affected infrastructure in your environment immediately, rather than waiting for the next scheduled scan cycle.

Beyond detection, Safeguard helps verify build integrity end-to-end — attesting to build provenance, monitoring for unauthorized changes to pipeline configuration, and alerting on anomalous administrative activity of the kind seen in this campaign, such as unexpected admin account creation or unrecognized plugin installation on build servers. That gives security teams the visibility to catch a TeamCity-style authentication bypass being exploited, not just to patch it after the fact.

If your organization runs self-hosted CI/CD infrastructure, CVE-2023-42793 is a reminder worth acting on today: audit your exposure, patch aggressively, and treat your build systems with the same security rigor as your production environment. Safeguard can help you do exactly that, continuously.

Never miss an update

Weekly insights on software supply chain security, delivered to your inbox.