Vulnerability in JetBrains TeamCity exploited just weeks after the release of its patch
Critical Vulnerability in JetBrains TeamCity Affects On-Premises Servers
A critical vulnerability, CVE-2023-42793, has been discovered in the on-premises version of JetBrains TeamCity, a popular continuous integration and continuous delivery (CI/CD) tool. This authentication bypass flaw allows unauthorised access and remote code execution (RCE) on vulnerable instances of TeamCity, specifically before version 2023.05.4[1][2][3].
Current Status
The vulnerability has been a significant concern since its public disclosure by JetBrains on September 20, 2023. As of August 2025, large-scale exploitation activity has been detected, with warnings issued by the U.S. Cybersecurity and Infrastructure Security Agency (CISA)[5]. Organisations are strongly urged to update to the latest releases (post 2023.05.4) to mitigate the risk, especially in CI/CD environments[1][2][3].
Impact on Linux Environments
JetBrains TeamCity runs on various platforms, including Linux servers. The authentication bypass vulnerability affects TeamCity regardless of the underlying OS, as it targets the TeamCity web application’s authentication mechanism directly, enabling RCE on the host[1][2][3]. Therefore, Linux-based TeamCity servers remain vulnerable if not patched, with RCE allowing threat actors full control on affected Linux hosts.
Related Threats
Reports do not confirm a direct connection between the threat actors "Diamond Sleet" and "Onyx Sleet" and CVE-2023-42793 or JetBrains TeamCity specifically. It is possible these names refer to threat actors or campaign designations not yet publicly linked or documented in the available sources.
Mitigation Measures
Organisations running TeamCity, especially on Linux servers, must verify their version and update immediately to mitigate risks. Monitoring issuer advisories and applying security patches is critical. While reports confirm ongoing attacks exploiting this CVE, no specific linkage to the mentioned adversary groups was found in current public threat intelligence.
Daniel Gallo, a TeamCity solutions engineer, has stated that a small number of TeamCity on-premises customers have expressed concerns about potential compromises due to the CVE-2023-42793 vulnerability. However, JetBrains officials are yet to confirm if its customers have been compromised in the manner Microsoft described[4].
References:
- JetBrains TeamCity Security Advisory: CVE-2023-42793
- TeamCity Security Advisory: CVE-2023-42793
- JetBrains TeamCity: CVE-2023-42793
- Microsoft Research Warns of North Korea State-Linked Threat Actors Abusing JetBrains TeamCity Vulnerability
- CISA Adds Authentication Bypass Vulnerability to Its Known Exploited Vulnerabilities Catalog
- The recent discovery of CVE-2023-42793 in the TeamCity web application's authentication mechanism poses a significant risk of remote code execution (RCE), especially in cybersecurity environments that rely on technology such as continuous integration and continuous delivery (CI/CD).
- To mitigate this risk, it's essential for organizations to update their on-premises TeamCity servers to the latest versions, as malware could potentially take advantage of unpatched vulnerabilities, potentially leading to full control over affected hosts.
