A relative path traversal flaw in JetBrains TeamCity before 2023.11.4 allows unauthenticated attackers to perform a limited set of administrative actions over the network, and CISA has confirmed active exploitation including use in ransomware campaigns.
What Is It
CVE-2024-27199 is a relative path traversal vulnerability (CWE-23; NVD classifies it as CWE-22) in JetBrains TeamCity, the on-premises CI/CD server. The flaw allows an attacker to reach authenticated endpoints via crafted paths and perform a limited subset of administrative actions without valid credentials.
The CVSS v3.1 base score is 7.3 (HIGH) with vector AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:L, network-reachable, low complexity, no privileges, no user interaction, with low impact across confidentiality, integrity, and availability.
Why It Matters
CISA added CVE-2024-27199 to the Known Exploited Vulnerabilities catalog on 2026-04-20 and flagged it as having known use in ransomware campaigns. Press coverage cited in NVD references documents mass exploitation of TeamCity instances, with attackers creating rogue administrator accounts on exposed servers.
Because TeamCity is a build and deployment system, a compromised instance is a direct path into source code, build artifacts, signing material, and downstream production environments; making even "limited" admin actions a serious foothold in a software supply chain.
What's Vulnerable
- Product: JetBrains TeamCity (on-premises)
- Affected versions: All versions prior to 2023.11.4
- CPE:
cpe:2.3:a:jetbrains:teamcity:*:*:*:*:*:*:*:*(versionEndExcluding 2023.11.4)
Internet-exposed TeamCity servers are the primary risk surface given the network attack vector and lack of authentication requirement.
Patch Status
JetBrains fixed the issue in TeamCity 2023.11.4. CISA's required action, with a due date of 2026-05-04, is to apply mitigations per vendor instructions, follow BOD 22-01 guidance for cloud services, or discontinue use of the product if mitigations are unavailable.