Many TeamCity instances remain unpatched, allowing hackers to generate rogue admin accounts at a massive scale. Credit: Shutterstock The TeamCity on-premises bugs that received patches on Monday have already been used by hackers to generate unauthorized admin accounts at a massive scale, according to the threat search engine LeakIX. The bugs, tracked under CVE-2024-27198 and CVE-2024-27199, remain unpatched for a large number of devices, opening them up to critical software supply chain attacks. “We are seeing massive exploitation of #TeamCity CVE-2024-27198,” LeakIX said in a social media post. “Hundreds of users are created for later use across the Internet. If you were/are still running a vulnerable system, assume compromise.” The bugs were first discovered by Rapid7 as a pair of authentication bypass vulnerabilities capable of allowing remote code execution (RCE) in addition to supply chain attacks. Generating admin accounts for future attacks LeakIX said it found 1711 devices online that have not yet been patched against the TeamCity vulnerabilities, allowing the generation of at least 1442 unauthorized admin accounts since Monday. LeakIX is a search engine for misconfigured and vulnerable devices across the internet that, apart from listing out the vulnerable instances, provides additional details like IPs, networks, and countries. The US (269), Germany (267), and Russia (191) were the most infected (admin accounts created) countries in a list shared by LeakIX. They had 330, 302, and 221 unpatched systems respectively at the last count. “There are between 3 and 300 users created on compromised instances, usually the pattern is 8 alphanum characters,” LeakIX reportedly said. The disclosure spat Rapid7 believed the vulnerabilities were critical and released full technical details shortly after the patches were released, recommending immediate patching. “TeamCity has been a popular target for attackers, including state-sponsored groups, over the past six months or so,” said Caitlin Condon, director of vulnerability intelligence at Rapid7. “Both vulnerabilities Rapid7 discovered in TeamCity are authentication bypasses; the first (CVE-2024-27198) is critical and allows for unauthenticated remote code execution, which in turn gives potential attackers control over TeamCity builds, agents, artifacts, and so on,” Condon added. “The second vulnerability (CVE-2024-27199) is high-severity instead of critical, and allows for limited information disclosure and/or system modification, including the ability for an unauthenticated attacker to replace the HTTPS certificate in a vulnerable TeamCity server with a certificate of the attacker’s choosing.” However, in the security release for these vulnerabilities, JetBrains had indicated that the company was rushed into disclosing the issues by Rapid7 as the latter chose to strictly abide by its own vulnerability disclosure policy and was about to publish full technical details shortly. While CSO did not receive any additional comment on the disagreement between the two parties, the blog post with full technical by Rapid7 did hint at a little friction over disclosure routines. “On March 4, Rapid7 noted that JetBrains released a fixed version of TeamCity without notifying Rapid7 that fixes had been implemented and were generally available,” Rapid7 said in the post. “When Rapid7 contacted JetBrains about their uncoordinated vulnerability disclosure, JetBrains published an advisory on the vulnerabilities without responding to Rapid7 on the disclosure timeline. JetBrains later responded to indicate that CVEs had been published.” Related content news AT&T suffers critical breach impacting 73 million customers Data released on the dark web impacts 7.6 million existing account holders and 65.4 million past subscribers. By Shweta Sharma 01 Apr 2024 4 mins Data Breach feature Recruit for diversity: Practical ways to remove bias from the hiring process Changing the wording on job descriptions and introducing a diverse hiring panel are some of the ways to remove bias when hiring cybersecurity professionals. By Aimee Chanthadavong 01 Apr 2024 8 mins Careers feature The CSO guide to top security conferences Tracking postponements, cancellations, and conferences gone virtual — CSO Online’s calendar of upcoming security conferences makes it easy to find the events that matter the most to you. By CSO Staff 01 Apr 2024 17 mins Technology Industry IT Skills Events news Top cybersecurity product news of the week New product and service announcements from Bedrock Security, GitGuardian, Legit Security, Nametag, and Cybereason and Observe By CSO staff 29 Mar 2024 70 mins Generative AI Security PODCASTS VIDEOS RESOURCES EVENTS SUBSCRIBE TO OUR NEWSLETTER From our editors straight to your inbox Get started by entering your email address below. Please enter a valid email address Subscribe