Critical JetBrains TeamCity On-Premises Flaws Could Lead to Server Takeovers

Two critical authentication-bypass vulnerabilities (CVE-2024-27198 CVSS 9.8 and CVE-2024-27199 CVSS 7.3) have been disclosed in JetBrains TeamCity On-Premises affecting versions through 2023.11.3; they allow unauthenticated attackers to gain administrative control or replace HTTPS certificates/change ports, enabling full server compromise, supply-chain attacks, denial-of-service, or MITM scenarios. Rapid7 discovered the issues and JetBrains released fixes in version 2023.11.4; TeamCity Cloud was already patched. Administrators are urged to update immediately.