Connect with us

Hi, what are you looking for?



Recently Patched TeamCity Vulnerability Exploited to Hack Servers

In-the-wild exploitation of a critical vulnerability in the TeamCity CI/CD server started shortly after a patch was released by developers.

In-the-wild exploitation of a critical vulnerability in JetBrains’ TeamCity continuous integration and continuous deployment (CI/CD) server started just days after the availability of a patch was announced.

The vulnerability, tracked as CVE-2023-42793, impacts the on-premises version of TeamCity and it allows an unauthenticated attacker with access to a targeted server to achieve remote code execution and gain administrative control of the system. 

JetBrains announced the release of TeamCity 2023.05.4, which patches the flaw, on September 21. 

Sonar, the code security firm whose researchers discovered the issue, released some limited information the same day, and published technical details roughly a week later after a proof-of-concept (PoC) exploit was made public.

Sonar warned in its initial blog post that in-the-wild exploitation would likely be observed soon due to how easily the flaw can be exploited.

Threat intelligence firm GreyNoise started seeing the first exploitation attempts on September 27, with a peak seen the following day. The company has seen attack attempts coming from 56 unique IP addresses as of October 1.

A different threat intelligence company, Prodaft, reported seeing “many popular ransomware groups” targeting CVE-2023-42793. 

The Shadowserver Foundation, a non-profit cybersecurity organization, has scanned the internet for vulnerable TeamCity servers and identified nearly 1,300 unique IPs, with the highest percentage located in the United States, followed by Germany, Russia and China. 

Organizations using TeamCity should update their installation as soon as possible. For customers who cannot immediately install the update, JetBrains has provided a security patch plugin that can be used to mitigate the issue on servers running TeamCity 8.0 and later. TeamCity Cloud customers do not need to take any action.

Advertisement. Scroll to continue reading.

Related: CISA Warns of Old JBoss RichFaces Vulnerability Being Exploited in Attacks

Related: Hackers Set Sights on Apache NiFi Flaw That Exposes Many Organizations to Attacks

Related: Progress Software Patches Critical Pre-Auth Flaws in WS_FTP Server Product 

Written By

Eduard Kovacs (@EduardKovacs) is a managing editor at SecurityWeek. He worked as a high school IT teacher for two years before starting a career in journalism as Softpedia’s security news reporter. Eduard holds a bachelor’s degree in industrial informatics and a master’s degree in computer techniques applied in electrical engineering.

Click to comment

Daily Briefing Newsletter

Subscribe to the SecurityWeek Email Briefing to stay informed on the latest threats, trends, and technology, along with insightful columns from industry experts.

Join us as we delve into the transformative potential of AI, predictive ChatGPT-like tools and automation to detect and defend against cyberattacks.


As cybersecurity breaches and incidents escalate, the cyber insurance ecosystem is undergoing rapid and transformational change.


Expert Insights

Related Content


Less than a week after announcing that it would suspended service indefinitely due to a conflict with an (at the time) unnamed security researcher...

Data Breaches

OpenAI has confirmed a ChatGPT data breach on the same day a security firm reported seeing the use of a component affected by an...

Risk Management

The supply chain threat is directly linked to attack surface management, but the supply chain must be known and understood before it can be...

IoT Security

A group of seven security researchers have discovered numerous vulnerabilities in vehicles from 16 car makers, including bugs that allowed them to control car...


A researcher at IOActive discovered that home security systems from SimpliSafe are plagued by a vulnerability that allows tech savvy burglars to remotely disable...


Patch Tuesday: Microsoft warns vulnerability (CVE-2023-23397) could lead to exploitation before an email is viewed in the Preview Pane.


Patch Tuesday: Microsoft calls attention to a series of zero-day remote code execution attacks hitting its Office productivity suite.


The latest Chrome update brings patches for eight vulnerabilities, including seven reported by external researchers.