CISA has added CVE‑2024‑27199 to its Known Exploited Vulnerabilities (KEV) catalogue. The entry concerns JetBrains TeamCity, which contains a relative path traversal vulnerability that could allow limited administrative actions to be performed. The flaw is tracked as the JetBrains TeamCity Relative Path Traversal Vulnerability.
According to the NVD entry, the issue is a relative path traversal that can be exploited via crafted requests to access files outside the intended directory, enabling an attacker with low privileges to carry out limited admin‑level operations. The vulnerability carries a CVSS v3.1 score of 7.3, rated HIGH. JetBrains has released a patch; the advisory and fix are available from the vendor’s security bulletin.
The attack vector is network‑based, with an attacker sending specially crafted HTTP requests to the TeamCity web interface. Successful exploitation does not require administrative privileges.
CISA’s inclusion in the KEV catalogue confirms that active exploitation of CVE‑2024‑27199 has been observed in the wild. No public reports link this flaw to ransomware campaigns at present. Federal civilian executive branch (FCEB) agencies must apply the required mitigation by the remediation due date of 4 May 2026.
CISA directs FCEB agencies to apply mitigations per vendor instructions, follow applicable BOD 22‑01 guidance for cloud services, or discontinue use of TeamCity if mitigations cannot be implemented. Organisations should verify that mitigations have been applied and monitor for any Indicators of Compromise related to this issue. While the directive binds only FCEB entities, all organisations should review their exposure to this vulnerability and apply the available patch or equivalent controls.
For full details, see the NVD entry at https://nvd.nist.gov/vuln/detail/CVE-2024-27199 and the CISA KEV catalogue.