Critical TeamCity Vulnerability Exploited by Criminals for Ransomware Attacks

Reza Rafati
Estimated read time 2 min read

The Urgency of the Matter

How secure is your software development process? A recent disclosure by the Shadowserver Foundation1 warns of an active exploitation of a critical vulnerability in TeamCity servers2. This exploitation aims to execute ransomware attacks. Despite an available patch since September 21, there are still around 1,300 vulnerable servers online, including over 60 in the Netherlands.

What is TeamCity?

Developed by JetBrains, TeamCity is a platform for software development that has over 30,000 customers worldwide. Organizations can host the platform on their own servers or opt for a cloud-based solution. According to Shodan, a search engine for internet-connected devices, more than 3,000 on-premise TeamCity servers are exposed online.

Details of the Vulnerability

The vulnerability, designated as CVE-2023-42793, allows unauthorized attackers to remotely execute arbitrary code on the server. On a scale of 1 to 10, the severity of this security flaw has been rated 9.8. Don’t you think that’s alarming?

The Risks Involved

Stefan Schiller from security company Sonar Source3 warned at the end of September that the vulnerability would likely be actively exploited4. Why? Because it doesn’t require a valid account on the targeted server and is easy to exploit. Sonar Source discovered this security flaw and reported it to JetBrains. Various parties, including security firm Prodaft5, report that many well-known ransomware groups have already incorporated CVE-2023-427936 into their workflow.

Immediate Actions Required

Organizations are urged to patch their servers to mitigate the risk7. We think this is not just advisable but imperative. Failing to do so places not only your server but potentially your entire network at risk.

Conclusion and Future Implications

The critical vulnerability in TeamCity servers is a ticking time bomb, with active exploitation already taking place. The risk is significantly high, given its 9.8 rating on the severity scale and its active incorporation into ransomware groups’ workflows. Immediate patching is essential8. If this vulnerability remains unaddressed, we can believe that the number of ransomware attacks will continue to rise.

  1. https://twitter.com/Shadowserver/status/1708543958521974917 ↩︎
  2. https://www.jetbrains.com/teamcity/ ↩︎
  3. https://www.sonarsource.com/blog/teamcity-vulnerability/ ↩︎
  4. https://viz.greynoise.io/tag/jetbrains-teamcity-authentication-bypass-attempt?days=30 ↩︎
  5. https://www.prodaft.com/ ↩︎
  6. https://nvd.nist.gov/vuln/detail/CVE-2023-42793 ↩︎
  7. https://twitter.com/PRODAFT/status/1708586257444430019 ↩︎
  8. https://www.security.nl/posting/811609/TeamCity-servers+door+middel+van+kritieke+kwetsbaarheid+over+te+nemen ↩︎
Think This Is Crucial Info? Share to Inform Others!
Avatar for Reza Rafati
Reza Rafati https://cyberwarzone.com

Reza Rafati, based in the Netherlands, is the founder of Cyberwarzone.com. An industry professional providing insightful commentary on infosec, cybercrime, cyberwar, and threat intelligence, Reza dedicates his work to bolster digital defenses and promote cyber awareness.

You May Also Like

More From Author

+ There are no comments

Add yours