The Urgency of the Matter
How secure is your software development process? A recent disclosure by the Shadowserver Foundation1 warns of an active exploitation of a critical vulnerability in TeamCity servers2. This exploitation aims to execute ransomware attacks. Despite an available patch since September 21, there are still around 1,300 vulnerable servers online, including over 60 in the Netherlands.
What is TeamCity?
Developed by JetBrains, TeamCity is a platform for software development that has over 30,000 customers worldwide. Organizations can host the platform on their own servers or opt for a cloud-based solution. According to Shodan, a search engine for internet-connected devices, more than 3,000 on-premise TeamCity servers are exposed online.
Details of the Vulnerability
The vulnerability, designated as CVE-2023-42793, allows unauthorized attackers to remotely execute arbitrary code on the server. On a scale of 1 to 10, the severity of this security flaw has been rated 9.8. Don’t you think that’s alarming?
The Risks Involved
Stefan Schiller from security company Sonar Source3 warned at the end of September that the vulnerability would likely be actively exploited4. Why? Because it doesn’t require a valid account on the targeted server and is easy to exploit. Sonar Source discovered this security flaw and reported it to JetBrains. Various parties, including security firm Prodaft5, report that many well-known ransomware groups have already incorporated CVE-2023-427936 into their workflow.
Immediate Actions Required
Organizations are urged to patch their servers to mitigate the risk7. We think this is not just advisable but imperative. Failing to do so places not only your server but potentially your entire network at risk.
Conclusion and Future Implications
The critical vulnerability in TeamCity servers is a ticking time bomb, with active exploitation already taking place. The risk is significantly high, given its 9.8 rating on the severity scale and its active incorporation into ransomware groups’ workflows. Immediate patching is essential8. If this vulnerability remains unaddressed, we can believe that the number of ransomware attacks will continue to rise.
- https://twitter.com/Shadowserver/status/1708543958521974917 ↩︎
- https://www.jetbrains.com/teamcity/ ↩︎
- https://www.sonarsource.com/blog/teamcity-vulnerability/ ↩︎
- https://viz.greynoise.io/tag/jetbrains-teamcity-authentication-bypass-attempt?days=30 ↩︎
- https://www.prodaft.com/ ↩︎
- https://nvd.nist.gov/vuln/detail/CVE-2023-42793 ↩︎
- https://twitter.com/PRODAFT/status/1708586257444430019 ↩︎
- https://www.security.nl/posting/811609/TeamCity-servers+door+middel+van+kritieke+kwetsbaarheid+over+te+nemen ↩︎