The SolarWinds crew spent late 2023 breaking into build servers. That's not a coincidence.

When you see which groups exploited CVE-2023-42793, the target selection tells you more than the bug does. The headline name is APT29, the Russian Foreign Intelligence Service actor also tracked as Cozy Bear, the Dukes, and Midnight Blizzard, and the same operation behind the SolarWinds supply-chain attack. North Korea’s Lazarus and Andariel groups joined in. These are not opportunistic ransomware affiliates spraying the internet. They are nation-state services, and in late 2023 they went hunting specifically for JetBrains TeamCity servers. The reason is the whole point of this post: a build server isn’t just another box to own. It’s the supply chain.

What the bug is

CVE-2023-42793 is an authentication bypass (CWE-288) in on-premise JetBrains TeamCity that leads to unauthenticated remote code execution on the server, CVSS 9.8. Discovered by Sonar and fixed by JetBrains in TeamCity 2023.05.4 on September 18, 2023, it lets an unauthenticated attacker reach a privileged endpoint and execute code, no credentials required. CISA added it to the Known Exploited Vulnerabilities catalog on October 4, 2023, with an October 25 deadline and the ransomware flag. A public exploit appeared within days of disclosure, which is what opened the door from “researchers know” to “everyone exploits.”

Why the attackers were who they were

TeamCity is a CI/CD server: it builds, tests, and often signs and deploys software. Compromising one gives an attacker, per the joint advisory CISA and partners published in December 2023, access to the developer’s source code, signing certificates, and the build-and-deploy pipeline itself. That last item is the prize for a supply-chain actor. If you can subvert how software is compiled and shipped, you don’t compromise one victim; you compromise everyone downstream who installs the resulting build, trusting a signature that’s now yours to forge.

That’s the SolarWinds playbook, and APT29 running it against TeamCity is the same intent applied to a new entry point. The advisory documented over 100 compromised TeamCity servers across the US, Europe, Asia, and Australia, with post-exploitation including privilege escalation, lateral movement, and backdoors for persistent access. Microsoft separately attributed exploitation to North Korean groups using the access for long-term footholds. Two different nation-state programs, same instinct: own the build server, and you own everything it builds.

The reframe defenders keep missing

Most organizations classify their CI/CD servers as internal developer infrastructure. Important, sure, but tooling, the same bucket as the wiki and the ticketing system. The threat actors classify them differently. To APT29, your TeamCity instance is a potential path into your customers, and that reclassification should be yours too.

The practical consequence is that a build-server compromise has a blast radius that doesn’t stop at your network boundary. If an attacker held your TeamCity server, the incident isn’t just “we got popped and we’re cleaning up.” It’s “did anything we built and shipped during the compromise window get tampered with, and do we need to tell the people who installed it.” That question, the one SolarWinds made famous, is the one a CI/CD compromise forces, and it’s a question with legal, contractual, and reputational weight far beyond a routine intrusion.

What to do

• Patch TeamCity to 2023.05.4 or later. If you somehow still run an unpatched on-premise instance, it’s a publicly-exploited, nation-state-targeted unauthenticated RCE. This is as urgent as urgent gets.
• Take the build server off the internet. A CI/CD server should be reachable by your developers and build agents, not the world. The mass exploitation hit internet-exposed instances; restricting access defuses the commodity-scanning threat entirely.
• If you ran an exposed, unpatched instance, scope a supply-chain incident, not just a host cleanup. Assume source code, secrets, and signing material were accessible. Rotate signing certificates and credentials, audit build configurations and pipeline definitions for tampering, and review what was built and shipped during the exposure window. Determine whether you have a customer-notification obligation.
• Treat CI/CD as crown-jewel infrastructure going forward. Segment it, monitor it, store its secrets in a vault with short-lived credentials rather than static keys, and protect signing operations so that owning the build server doesn’t automatically mean owning your signature.

The reframe is the part to carry into your risk register. The attackers have already decided what your build server is worth, and they’ve told you by who showed up to exploit it: the service that ran SolarWinds, and a North Korean program that specializes in long-term access. They came for TeamCity because the build pipeline is the highest-leverage position in modern software, a place from which one compromise can become thousands. Classify your CI/CD systems the way the people attacking them do, and defend them accordingly, because the gap between “developer tooling” and “the supply chain” is exactly the gap APT29 is counting on you not to close. We flag the bugs that hit build and deploy infrastructure with extra weight, because those are the ones where your incident can become your customers’ incident.

Sources

• CISA Known Exploited Vulnerabilities Catalog
• NVD CVE-2023-42793 — 2023-09-19
• JetBrains: Critical security issue affecting TeamCity On-Premises — 2023-09-18
• CISA: Russian SVR-affiliated actors exploiting CVE-2023-42793 — 2023-12-13
• The Hacker News: Russian SVR-linked APT29 targets JetBrains TeamCity servers — 2023-12
• FortiGuard Labs: TeamCity intrusion saga, APT29 suspected exploiting CVE-2023-42793 — 2023-10