Shortly after developers released a patch for a critical vulnerability in JetBrains’ TeamCity continuous integration and continuous deployment (CI/CD) server, in-the-wild exploitation of this vulnerability commenced. Tracked as CVE-2023-42793, the flaw affects the on-premises version of TeamCity and allows unauthenticated attackers with server access to achieve remote code execution and gain administrative control.
JetBrains released TeamCity 2023.05.4 on September 21 to address this issue, but the ease of exploitation, coupled with the rapid dissemination of technical details and a proof-of-concept exploit, raised concerns about in-the-wild attacks.
Code security firm Sonar, which initially discovered the vulnerability, cautioned about the likelihood of in-the-wild exploitation due to the vulnerability’s straightforward nature. Threat intelligence firm GreyNoise observed the first exploitation attempts on September 27, with a peak in activity the following day. These attacks originated from 56 unique IP addresses as of October 1.
Another threat intelligence company, Prodaft, reported that “many popular ransomware groups” were actively targeting CVE-2023-42793. This situation underscores the critical importance of promptly applying the patch released by JetBrains to protect TeamCity servers from exploitation and potential compromise.
