CVE-2024-27199

HIGH KEV RANSOMWARE NUCLEI

TeamCity < 2023.11.4 - Authentication Bypass

Title source: nuclei

Exploitation Summary

CVE-2024-27199 is actively exploited and listed in the CISA Known Exploited Vulnerabilities (KEV) catalog, added April 20, 2026, with confirmed use in ransomware campaigns. EIP tracks 2 public exploits from researchers including Stuub. A Nuclei detection template is also available.

AI-analyzed exploit summary This repository contains a functional exploit for CVE-2024-27198, targeting JetBrains TeamCity. The exploit creates an admin user and achieves RCE by leveraging an authentication bypass vulnerability in the REST API endpoint.

Description

In JetBrains TeamCity before 2023.11.4 path traversal allowing to perform limited admin actions was possible

Exploits (2)

github WORKING POC 34 stars

by Stuub · pythonremote

https://github.com/Stuub/RCity-CVE-2024-27198

View Code ZIP pw:eip

This repository contains a functional exploit for CVE-2024-27198, targeting JetBrains TeamCity. The exploit creates an admin user and achieves RCE by leveraging an authentication bypass vulnerability in the REST API endpoint.

Classification

Working Poc 95%

Attack Type

Rce

Complexity

Moderate

Reliability

Reliable

Target: JetBrains TeamCity

No auth needed

Prerequisites: Network access to the TeamCity server · TeamCity server with vulnerable REST API endpoint

MITRE ATT&CK

T1190 - Exploit Public-Facing Application T1068 - Exploitation for Privilege Escalation

devstral-2 · analyzed Feb 19, 2026 Full analysis →

vulncheck_xdb WORKING POC

remote

https://github.com/W01fh4cker/CVE-2024-27198-RCE

View Code ZIP pw:eip

This repository contains a functional exploit for CVE-2024-27198, targeting TeamCity's plugin upload mechanism to achieve remote code execution (RCE). The exploit automates the process of uploading a malicious plugin, leveraging authentication tokens and CSRF protection bypasses.

Classification

Working Poc 95%

Attack Type

Rce

Complexity

Moderate

Reliability

Reliable

Target: JetBrains TeamCity (version not explicitly specified in code)

Auth required

Prerequisites: Valid authentication token · Access to TeamCity admin interface

MITRE ATT&CK

T1190 - Exploit Public-Facing Application T1059 - Command and Scripting Interpreter T1203 - Exploitation for Client Execution

devstral-2 · analyzed Feb 25, 2026 Full analysis →

Nuclei Templates (1)

TeamCity < 2023.11.4 - Authentication Bypass

HIGHVERIFIEDby DhiyaneshDk

Shodan: http.component:"TeamCity"

References (4)

Core 4

Core References

Various Sources

https://github.com/Stuub/RCity-CVE-2024-27198/blob/main/RCity.py

View Exploit ZIP pw:eip

Press/Media Coverage

https://www.darkreading.com/cyberattacks-data-breaches/jetbrains-teamcity-mass-exploitation-underway-rogue-accounts-thrive

Vendor Advisory

https://www.jetbrains.com/privacy-security/issues-fixed/

Third Party Advisory, US Government Resource

https://www.cisa.gov/known-exploited-vulnerabilities-catalog?field_cve=CVE-2024-27199

Scores

CVSS v3 7.3

EPSS 0.9093

EPSS Percentile 99.7%

Attack Vector NETWORK

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:L

CISA SSVC

Vulnrichment

Exploitation active

Automatable yes

Technical Impact partial

Details

CISA KEV 2026-04-20

VulnCheck KEV 2024-03-05

InTheWild.io 2024-03-04

ENISA EUVD EUVD-2024-24438

Ransomware Use Confirmed

CWE

CWE-22 CWE-23

Status published

Products (2)

jetbrains/teamcity < 2023.11.4

JetBrains/TeamCity < 2023.11.4

Published Mar 04, 2024

KEV Added Apr 20, 2026

Tracked Since Feb 18, 2026