Sometimes 22 minutes can feel like an hour, but when you see a proof of concept (PoC) exploit turned into live attacks 22 minutes after it was published, it feels like the blink of an eye.

That’s what happened to CVE-2024-27198, an authentication bypass vulnerability in JetBrains TeamCity, according to Cloudflare’s Application Security Report: 2024 update. JetBrains issued a warning about two serious vulnerabilities on March 4, 2024. The flaws could be used by a remote, unauthenticated attacker to bypass authentication checks and gain administrative control of a TeamCity on-premises server.

Only two days later, Bleeping Computer reported that attackers had already compromised over 1,440 instances. A shocking number that was undoubtedly able to grow so quickly because of the quick adaptation of the PoC code by the cybercriminals.

The background to this is that as the number of zero-day vulnerabilities is increasing, so is the speed with which known vulnerabilities are exploited. As a network defender, combatting zero-days means keeping servers and services that don’t need to be exposed to the Internet safely away from it, using tools like EDR to detect suspicious behavior (or having someone do it for you), and using network segmentation to detect suspicious activity and limit its scope.

Once mitigation in the form of a software patch is available, life becomes easier in theory—just apply the patch. In reality, we realize that sometimes it’s not easy to prioritize patching and there is always the risk of unforeseen negative effects which would cause you to reverse the patch.

But to be honest, when the criminals only need 22 minutes to start their attacks, there hardly is any difference between that and a zero-day. The state of the vulnerability may have changed because of the way we define a zero-day, but that does not have an effect on the outcome. Any exposed system will be compromised, since there’s been no real chance to patch.

On the other side of the spectrum, researchers recently pointed out that a vulnerability which was patched in March 2023, CVE-2023-27532, is still being used by ransomware groups to attack organizations. You may not be able to react to a patch within 22 minutes, but 72 weeks ought to be in scope. Use a vulnerability and patch management solution to make you aware of the vulnerabilities you may have missed and automate their deployment.

For security researchers—I know it’s tempting to post your PoCs as soon as you can, but please consider that you are helping cybercriminals even if you follow the rules of responsible disclosure. Show off your competence without helping them copy your work.

---

We don’t just report on vulnerabilities—we identify them, and prioritize action.

Cybersecurity risks should never spread beyond a headline. Keep vulnerabilities in check by using ThreatDown’s Vulnerability Assessment and Patch Management solutions.