[CDP-development] TLP:GREEN (Vulnerability Alert Notification) CVE-2024-27199: JetBrains TeamCity Path Traversal Vulnerability

ESO_SOC * DAS ESO.SOC at das.oregon.gov
Mon Apr 20 14:42:59 PDT 2026 

Good afternoon,

The SOC Services team is reporting on the vulnerability: CVE-2024-27199 affecting JetBrains TeamCity on-premises servers' web component with Path Traversal vulnerability. Due to active exploitation, we are providing this in-depth information.

History: Discovered by Rapid7 and disclosed by JetBrains on March 4, 2024, and last updated on 10/4/2024. NVD initially published a CVSSv3 score on 03/03/2024 and latest updates provided on 05/30/2025. The CVSS v3.x base score is 7.3 (High) as reported by JetBrains s.r.o.

Affected Versions


  *   All JetBrains TeamCity versions prior to 2023.11.4

Fixed Versions


  *   JetBrains TeamCity 2023.11.4

For more information, please see the links here:


  *   Vendor Advisory: TeamCity 2023.11.4 Release Notes <https://blog.jetbrains.com/teamcity/2024/03/additional-critical-security-issues-affecting-teamcity-on-premises-cve-2024-27198-and-cve-2024-27199-update-to-2023-11-4-now/>

Intelligence: As of April 20, 2026, CISA has confirmed the vulnerability as being exploited in the wild and has added it to the Known Exploited Vulnerabilities Catalog. This vulnerability has been exploited in the wild by various threat actors, including the China-linked group Earth Lamia and the financially motivated cybercriminal group Storm-1175, to gain administrative control of servers, deploy malware, and expand botnets. Exploitation of this vulnerability often leads to data exfiltration and ransomware deployment, with Storm-1175 using it to deploy Medusa ransomware as part of high-velocity ransomware campaigns. The vulnerability has been used to target specific sectors, including healthcare, education, and finance, primarily in the US, UK, and Australia.

Exploitability: Network Exploitability
Exploit Complexity: Low
First Proof of Concept: 03/04/2024
Remotely Exploitable: Yes
Proof of Concept Available: Yes
Zero Day: No

Workarounds: A security patch plugin is available for older versions of TeamCity (2023.11.4); otherwise, there are no effective workarounds..

How it works: An attacker could perform a denial of service against the TeamCity server by either changing the HTTPS port number to a value not expected by clients, or by uploading a certificate that will fail client-side validation. Alternatively, an attacker with a suitable position on the network may be able to perform either eavesdropping or a man-in-the-middle attack on client connections, if the certificate the attacker uploads (and has a private key for) will be trusted by the clients. Several paths have been identified that are vulnerable to a path traversal issue that allows a limited number of authenticated endpoints to be successfully reached by an unauthenticated attacker. These paths include, but may not be limited to:


  *   /res/
  *   /update/
  *   /.well-known/acme-challenge/

Post-Exploit: An unauthenticated attacker can leverage this vulnerability to both modify a limited number of system settings on the server, as well as disclose a limited amount of sensitive information from the server.

As of April 20, 2026, Tenable has released the following plugin for Tenable Vulnerability Management:

Plugin
Title
Severity
Platform
191749<https://www.tenable.com/plugins/nessus/191749>
JetBrains TeamCity Path Traversal (CVE-2024-27199)
High
Nessus

Recommended Actions:

Date Added: 2026-04-20
Due Date: 2026-05-04


  *   Verify host has not been compromised before applying patches.
  *   Apply appropriate updates provided by vendor to vulnerable systems immediately after appropriate testing.
  *   Run all software as a non-privileged user (one without administrative privileges) to diminish the effects of a successful attack.
  *   Apply the Principle of Least Privilege to all systems and services.

EIS Security Operations Center
Enterprise Information Services
Cyber Security Services | CSS
SOC Hotline: (503) 378-5930
SOC at EIS.OREGON.GOV<mailto:SOC at EIS.OREGON.GOV>
[cid:image001.png at 01DCD0CF.0A9B2660] [cid:image002.png at 01DCD0CF.0A9B2660]

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://omls.oregon.gov/pipermail/cdp-development/attachments/20260420/7f0187bb/attachment-0001.html>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: image001.png
Type: image/png
Size: 280765 bytes
Desc: image001.png
URL: <https://omls.oregon.gov/pipermail/cdp-development/attachments/20260420/7f0187bb/attachment-0002.png>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: image002.png
Type: image/png
Size: 32625 bytes
Desc: image002.png
URL: <https://omls.oregon.gov/pipermail/cdp-development/attachments/20260420/7f0187bb/attachment-0003.png>

More information about the CDP-development mailing list