Ransomware gangs have been observed targeting a recently patched remote code execution vulnerability in JetBrains' TeamCity software

TeamCity is a build management and continuous integration server that provides out-of-the-box continuous unit testing, code quality analysis, and early reporting on build problems. Many popular games, websites, and banking systems are built with TeamCity.

Tracked as CVE-2023-42793, the bug is an authentication bypass issue that can lead to remote code execution. According to the vendor, the vulnerability impacts all TeamCity versions before the patched release but only On-Premises servers installed on Windows, Linux, and macOS, or that run in Docker.

Researchers at threat intelligence company Prodaft said they saw multiple organizations being targeted by “many popular” ransomware groups using the said bug.

Threat intelligence company GreyNoise has been observing exploitation attempts since September 27, with attacks coming from 74 unique IP addresses.

According to data from the non-profit internet security organization Shadowserver Foundation, currently, there are roughly 1250 unpatched TeamCity servers exposed on the internet.