Relative Path Traversal in JetBrains TeamCity (CVE-2024-27199) — Known Exploited Flaw in a CI/CD Server, With Confirmed Ransomware Use
JetBrains TeamCity, a CI/CD server that automates building and distributing software, contains a relative path traversal flaw that can lead to limited admin actions, and CISA has added it to its Known Exploited Vulnerabilities (KEV) catalog.
Key facts
- CVE IDCVE-2024-27199
- CVSS base score7.3 HIGH
- CVSS vectorCVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:L
- Affected (vendor / product)JetBrains TeamCity
- CWECWE-23
- ExploitationListed in CISA KEV (exploitation confirmed); also confirmed used in ransomware
- Remediation due2026-05-04 (U.S. federal civilian agencies, BOD 22-01)
Key points
- Affected product is JetBrains TeamCity, a CI/CD server that automates building and distributing software.
- The flaw is relative path traversal (reaching paths that were not meant to be accessible) and can lead to limited admin actions.
- CISA added it to the KEV catalog on 2026-04-20, with a remediation due date of 2026-05-04.
- It is recorded as known to be used in ransomware campaigns.
- The official NVD CVSS v3.1 score is 7.3 (HIGH).
TeamCity is a server that handles "CI/CD," the process of automatically assembling (building), testing, and shipping software. Many organizations place it at the center of development, and the artifacts that pass through it become the products and services that reach end users. As a result, infrastructure like TeamCity sits at the heart of the software supply chain — the path along which software is built and delivered. This vulnerability is a "relative path traversal" flaw, a class of weakness in which a crafted path input is used to reach files or functions that were not meant to be accessible.
CISA's Known Exploited Vulnerabilities (KEV) catalog is the official list of flaws confirmed to have been used in real attacks. This issue was added to KEV on 2026-04-20, and it is recorded as known to be used in ransomware campaigns (attacks that encrypt and hold data hostage to demand payment). The severity rating published by NVD (CVSS v3.1) is 7.3, rated HIGH, characterized as reachable over the network without special privileges or user interaction.
Development-automation infrastructure has increasingly become a target, because anything that compromises the artifacts passing through such systems can affect the many users downstream. As remediation, CISA directs organizations to apply mitigations per the vendor's (JetBrains') instructions, to act in accordance with the federal directive BOD 22-01, and to discontinue use of the product if mitigations cannot be applied. The remediation due date is 2026-05-04.
Why it matters
A CI/CD server is core to building and shipping software and sits at the heart of the software supply chain. Because this vulnerability is on the KEV catalog and is recorded as known to be used in ransomware campaigns, it is a high-priority asset to manage for organizations running TeamCity. Given how broadly compromised artifacts could affect downstream users, organizations should inventory affected assets and consider planned remediation in line with vendor instructions.
FAQ
What is TeamCity?
What kind of flaw is relative path traversal?
What does CISA direct organizations to do?
Sources (primary)
This article is an independent organization based on the U.S. official data below. Always verify the exact, latest details and applicability with the official and vendor sources.
- CISA KEV Catalog (known exploited list)
- NVD (CVE details / CVSS)
- Vendor / reference advisory
- Vendor / reference advisory
- This product uses data from the NVD API but is not endorsed or certified by the NVD. KEV data is CC0 (public domain).