JetBrains TeamCity Relative Path Traversal — Unauthenticated Limited Admin Actions (CVE-2024-27199)

Severity Assessment

• Exploitability: 9.0/10
• Impact: 7.0/10
• Weaponization Risk: 8.5/10
• Patch Urgency: 8.5/10
• Detection Coverage: 5.5/10

Summary

CVE-2024-27199 is a relative path traversal vulnerability in JetBrains TeamCity affecting all releases prior to 2023.11.4. An unauthenticated remote attacker can send a specially crafted HTTP request that bypasses normal URL routing to reach admin-only API endpoints. The actions accessible through this path are described as limited administrative functions; in practice, observed exploitation primarily involved creating unauthorized local administrator accounts on affected TeamCity instances.

The vulnerability was publicly disclosed alongside its fix on 2024-03-04. Mass exploitation began immediately after disclosure, with attackers creating rogue admin accounts at scale across internet-exposed TeamCity installations. CISA added CVE-2024-27199 to the Known Exploited Vulnerabilities catalog on 2026-04-20 with a required remediation deadline of 2026-05-04, confirming that active exploitation continues to be observed years after the initial patch.

TeamCity is a widely deployed CI/CD platform. Compromised TeamCity instances can expose source code, build secrets, deployment credentials, and pipeline configurations. The administrative access gained through this vulnerability provides a high-value foothold for supply chain and espionage operations.

CVSS 3.1 base score is 7.3 HIGH (AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:L). The low complexity and no-authentication-required attack vector classify this as exploitable against any network-accessible instance.

Exploit Chain

Stage 1: Identify Target TeamCity Instance

The attacker identifies a JetBrains TeamCity server running a version prior to 2023.11.4 that is reachable over the network. No credentials or prior access are required. Internet-facing TeamCity instances are the primary target; instances on internal networks are reachable if the attacker has any foothold in the environment.

Stage 2: Path Traversal to Admin Endpoint

The attacker crafts an HTTP request that uses relative path traversal sequences to reach an admin-only API endpoint that would ordinarily be inaccessible without authentication. The traversal exploits insufficient input validation in the routing layer. The specific pattern bypasses authentication checks that protect administrative URLs by routing the request through a less-restricted handler path.

Stage 3: Execute Limited Admin Action

Through the traversed endpoint, the attacker can execute a constrained set of administrative operations. The most widely observed action in exploitation campaigns was creating a new local administrator account using the admin user registration endpoint. This gives the attacker a persistent, authenticated backdoor account that survives a patch or restart.

Stage 4: Establish Persistence and Harvest Credentials

With an authenticated admin account, the attacker has full access to TeamCity’s management interface: project configurations, build logs, stored VCS credentials, environment variables, and deployment secrets. Attackers in mass exploitation campaigns harvested these materials and established additional persistence mechanisms within the CI/CD environment.

Detection Guidance

1. Audit TeamCity version across all deployments; any instance running a release prior to 2023.11.4 should be treated as potentially compromised in addition to being patched immediately.
2. Review TeamCity audit logs for admin account creation events, particularly accounts created outside of normal administrative windows or by unexpected IP addresses.
3. Search HTTP access logs for requests containing path traversal sequences (e.g., .., %2e%2e, %252e) targeting TeamCity endpoints, especially those that would not ordinarily be accessible without authentication.
4. Check for admin accounts created during the post-2024-03-04 exploitation window that do not correspond to known personnel.
5. Review all stored VCS credentials and environment variables in TeamCity for signs of unauthorized access or exfiltration.
6. For instances that were unpatched during or after 2024-03-04, treat stored secrets as compromised and rotate them.

Indicators of Compromise

Log and authentication indicators:

• Admin user account creation events in TeamCity logs from unrecognized IP addresses or outside authorized change windows
• HTTP requests to TeamCity endpoints containing path traversal patterns (../, ..%2F, %2e%2e%2f) against admin-scoped paths
• Authentication events from newly created accounts with high privilege levels shortly after account creation
• TeamCity audit log entries showing access to VCS credential stores, environment variable configurations, or API token management

Network indicators:

• HTTP POST requests to TeamCity admin registration or user creation endpoints from unauthenticated sessions
• Repeated probing of TeamCity URL patterns characteristic of automated scanning for the traversal path
• Outbound connections from the TeamCity host to infrastructure not associated with known build targets or deployment destinations

Disclosure Timeline

2024-03-04

JetBrains published a security advisory disclosing CVE-2024-27199 and CVE-2024-27198, a companion authentication bypass vulnerability. TeamCity 2023.11.4 was released as the fix for both vulnerabilities. Mass exploitation began on the same day as disclosure, with attackers creating rogue administrator accounts across internet-exposed TeamCity installations.

2026-04-20

CISA added CVE-2024-27199 to the Known Exploited Vulnerabilities catalog, confirming active exploitation remains ongoing. The required remediation deadline for Federal Civilian Executive Branch agencies was set to 2026-05-04.

2026-04-21

The National Vulnerability Database updated the CVE-2024-27199 record to reflect the analyzed status and CISA KEV annotations.

Sources & References

• National Vulnerability Database: CVE-2024-27199 — National Vulnerability Database, 2026-04-21
• Cybersecurity and Infrastructure Security Agency: CVE-2024-27199 Known Exploited Vulnerabilities Entry — Cybersecurity and Infrastructure Security Agency, 2026-04-20
• JetBrains: Security Issues Fixed in TeamCity 2023.11.4 — JetBrains, 2024-03-04
• Dark Reading: JetBrains TeamCity Mass Exploitation Underway, Rogue Accounts Thrive — Dark Reading, 2024-03-04