BleepingComputer reports that more than 1,440 on-premises JetBrains TeamCity software development platform manager instances impacted by the recently patched critical authentication bypass flaw, tracked as CVE-2025-27198, have already been compromised as part of a massive exploitation campaign that sought to generate admin accounts.
Most of the hacked TeamCity installations were discovered in the U.S. even though the country had the second-highest number of vulnerable instances, according to red-team search engine LeakIX. Significantly increased CVE-2024-27198 exploitation attempts have also been observed by GreyyNoise, with attempts mostly originating from U.S. machines hosted by DigitalOcean. Such abuse of the vulnerability was noted by LeakIX's Gregory Boddin to potentially result in supply chain attacks, echoing concerns previously made by Rapid7. "Compromising a TeamCity server allows an attacker full control over all TeamCity projects, builds, agents, and artifacts, and as such is a suitable vector to position an attacker to perform a supply chain attack," Rapid7 said.