Rapid7 Vulnerability & Exploit Database

JetBrains TeamCity Unauthenticated Remote Code Execution

Back to Search

JetBrains TeamCity Unauthenticated Remote Code Execution



This module exploits an authentication bypass vulnerability in JetBrains TeamCity. An unauthenticated attacker can leverage this to access the REST API and create a new administrator access token. This token can be used to upload a plugin which contains a Metasploit payload, allowing the attacker to achieve unauthenticated RCE on the target TeamCity server. On older versions of TeamCity, access tokens do not exist so the exploit will instead create a new administrator account before uploading a plugin. Older version of TeamCity have a debug endpoint (/app/rest/debug/process) that allows for arbitrary commands to be executed, however recent version of TeamCity no longer ship this endpoint, hence why a plugin is leveraged for code execution instead, as this is supported on all versions tested.


  • sfewer-r7




java, cmd


Module Options

To display the available options, load the module within the Metasploit console and run the commands 'show options' or 'show advanced':

msf > use exploit/multi/http/jetbrains_teamcity_rce_cve_2024_27198
msf exploit(jetbrains_teamcity_rce_cve_2024_27198) > show targets
msf exploit(jetbrains_teamcity_rce_cve_2024_27198) > set TARGET < target-id >
msf exploit(jetbrains_teamcity_rce_cve_2024_27198) > show options
    ...show and set options...
msf exploit(jetbrains_teamcity_rce_cve_2024_27198) > exploit

Time is precious, so I don’t want to do something manually that I can automate. Leveraging the Metasploit Framework when automating any task keeps us from having to re-create the wheel as we can use the existing libraries and focus our efforts where it matters.

– Jim O’Gorman | President, Offensive Security