What happened

CISA added CVE-2024-27199 (JetBrains TeamCity) to the Known Exploited Vulnerabilities (KEV) catalog, signaling confirmed in-the-wild exploitation CISA KEV. CISA’s entry notes a federal remediation deadline of 2026-05-04 for this issue CISA KEV. The vulnerability is classified as a relative path traversal (CWE-23) that can enable a limited set of administrative actions in TeamCity NVD entry. The CVE record corroborates the vulnerability type and affected product, attributing it to JetBrains TeamCity MITRE CVE.

CISA’s KEV status implies active exploitation pressure, and their listing references mandatory mitigation for federal agencies under BOD 22-01 processes CISA KEV. The vulnerability maps to CWE-23 (Relative Path Traversal), a class where crafted path segments are used to reach unintended resources or actions CWE-23.

Why it matters

Inclusion in KEV means there is evidence of exploitation, not mere theoretical exposure CISA KEV. TeamCity is a centralized automation service; even a “limited set” of administrative actions can materially affect build pipelines or server configuration if abused NVD entry. The associated CWE indicates an input validation/control-of-path weakness, which historically lends itself to simple, automatable probes that scale well for opportunistic attackers CWE-23.

CISA’s remediation clock puts immediate pressure on exposed instances; delaying patch or mitigation invites further exploitation waves as attackers iterate on path traversal payloads CISA KEV. The CVE record confirms JetBrains TeamCity as the impacted product, reinforcing the CI/CD risk surface specifically in on-premises deployments MITRE CVE.

Technical detail

CVE-2024-27199 is a relative path traversal in JetBrains TeamCity that permits a limited set of administrative operations via manipulated paths NVD entry. CWE-23 covers attacks where sequences like “../” or equivalent encodings are used to traverse directories or route requests to unintended handlers/resources CWE-23. The MITRE CVE record lists the vulnerability and affected vendor/product, aligning with the NVD classification MITRE CVE.

In practice, relative path traversal issues often hinge on insufficient normalization of URL path components or file paths within HTTP handlers, allowing attackers to bypass intended access controls CWE-23. For TeamCity, the NVD description makes clear the impact is the ability to perform some administrative actions, which elevates risk beyond simple information disclosure NVD entry. Because KEV confirms exploitation, defenders should assume commodity scanners and automated scripts are already testing exposed TeamCity endpoints for traversal vectors CISA KEV.

Absent version specifics here, the safe operational assumption is that any unpatched TeamCity instance reachable from untrusted networks is a viable target for traversal payloads targeting administrative functionality NVD entry. The CVE’s CWE-23 mapping suggests canonical filtering/normalization failures rather than an esoteric edge case, which keeps exploitation entry cost low CWE-23.

Defense

Immediate action for FCEB and any high-exposure environments: apply vendor mitigations or updates per CISA’s KEV directive and BOD 22-01 guidance, or remove the asset from service if mitigations aren’t available CISA KEV. Prioritize any externally reachable TeamCity servers first, given KEV’s active exploitation signal CISA KEV.

Compensating controls that reduce traversal blast radius should be enacted alongside patching:

• Terminate public exposure: place TeamCity behind VPN or zero-trust brokers; treat it as an internal-only asset given its administrative impact surface NVD entry.
• Enforce strict path canonicalization at upstream reverse proxies/WAFs; block requests containing traversal sequences (e.g., “../”, URL-encoded variants) that reach TeamCity routes CWE-23.
• Log and alert on traversal patterns and anomalous admin operations; correlate request URIs containing traversal indicators with subsequent configuration or privilege changes CWE-23. For this CVE, the impact is “limited admin actions,” so unexpected admin events are a concrete detection opportunity NVD entry.
• If you cannot patch immediately, disable or rate-limit unauthenticated routes where feasible and apply virtual patching at edge devices that normalize/strip suspicious path segments CWE-23.

Finally, validate your exposure: enumerate all TeamCity instances and verify patch levels or mitigations, documenting KEV compliance before the due date to prevent drift CISA KEV.

Lyrie Verdict

Traversal vulnerabilities are attacker-favorable because they’re trivial to automate and test at internet scale CWE-23. Lyrie instruments the build-server edge and control plane to detect traversal payloads and correlated administrative side effects in near real time, then auto-enforces containment at the request and host layers. Specifically, we fingerprint path traversal indicators in HTTP traffic to TeamCity and flag post-request anomalies tied to “limited admin actions” described in the CVE NVD entry. That lets us block and quarantine within seconds of first touch—closing the gap exploited by bot-driven campaigns highlighted by KEV CISA KEV.