On 4 March 2024, JetBrains and Rapid7 (the discoverer) simultaneously disclosed two authentication bypass vulnerabilities in JetBrains TeamCity — a popular CI/CD build server used by over 30,000 organisations including many large enterprises. CVE-2024-27198 (CVSS 9.8) allowed unauthenticated attackers to access the TeamCity REST API and gain full administrative control without valid credentials. CVE-2024-27199 (CVSS 7.3) allowed path traversal for limited server configuration exposure. JetBrains released patches (2023.11.4) and a standalone security patch plugin on 4 March. Mass exploitation began within hours of disclosure. CISA published an advisory. The Russian SVR-linked group Midnight Blizzard (APT29/Cozy Bear) was identified as exploiting CVE-2024-27198 to compromise TeamCity servers — mirroring their earlier 2023 TeamCity exploitation (CVE-2023-42793). BleepingComputer documented multiple ransomware actors also exploiting the vulnerability. Shodan identified approximately 1,700 internet-exposed TeamCity instances at time of disclosure. Compromising a TeamCity server is particularly valuable to attackers because: (1) it contains source code repositories and build artifacts; (2) it stores credentials and API tokens for deployment pipelines; (3) it can be used to inject malicious code into software builds, enabling downstream software supply chain attacks. CISA noted that SVR actors had previously used TeamCity vulnerabilities (2023) to gain initial access leading to downstream customer compromise. JetBrains was criticised for attempting a coordinated disclosure timeline that Rapid7 did not agree to, leading to the simultaneous disclosure before many users could patch.