Part of Lyceum Intelligence — deep-research In Focus reports → · Lyceum Corpus — ask the documents →

Full-text search across 381 articles. Typo-tolerant.

Lyceum News Desk ·

[KEV] CVE-2024-27199 -- CVSS 0.0 Vulnerability Briefing

[KEV] CVE-2024-27199 | CVSS 0.0 (Low) | Exploit: Operational

What Is It

CVE-2024-27199 is a relative path traversal vulnerability in JetBrains TeamCity, a widely deployed CI/CD server platform, that allows an attacker to perform limited administrative actions without proper authorization.

Technical Detail

The flaw exists in TeamCity's request handling, where insufficient validation of path components allows an unauthenticated or low-privileged attacker to traverse directory boundaries and reach restricted administrative endpoints. By crafting a malicious HTTP request with a manipulated relative path, an attacker can invoke certain admin-level functions that should otherwise require elevated credentials. While the scope of administrative actions is described as limited, exploitation can facilitate further compromise of the build pipeline, including modification of build configurations, exposure of secrets, or creation of privileged user accounts depending on the specific endpoint reached.

Exploitation Status

The exploit is rated as operationally mature, meaning functional exploit code exists and has been demonstrated in real-world attack scenarios, not merely as a proof of concept. CISA has confirmed active exploitation in the wild, adding this vulnerability to the Known Exploited Vulnerabilities catalog on April 20, 2026. Organizations should treat this as an actively targeted vulnerability requiring immediate remediation.

Who Is Targeting This

No specific threat actor attribution has been confirmed at this time. However, TeamCity vulnerabilities have historically attracted interest from nation-state actors and ransomware operators due to the platform's role in software supply chain infrastructure. Organizations should monitor for anomalous admin account creation, unexpected build configuration changes, and unusual outbound connections from TeamCity servers.

What To Do

Apply the vendor-supplied patch from JetBrains immediately. Per CISA's Known Exploited Vulnerabilities catalog, federal agencies operating under BOD 22-01 are required to remediate this vulnerability by the deadline associated with the April 20, 2026 KEV listing. All organizations, regardless of sector, should treat this as a critical patching priority given confirmed active exploitation. If immediate patching is not possible, restrict network access to the TeamCity server to trusted IP ranges, disable external-facing access where feasible, and audit administrative accounts and recent build configuration changes for signs of unauthorized modification. Review TeamCity server logs for unexpected path traversal patterns in HTTP request logs as a detection signal.

In Focus
All analysis →

Deep-research intelligence reports from Lyceum Intelligence — structured assessments with sourced claims and calibrated conclusions.

Browse Intelligence Reports →