CVE-2025-57734
📋 TL;DR
This vulnerability exposes AWS credentials in Docker script files within JetBrains TeamCity CI/CD servers. Attackers who gain access to these files could potentially use the credentials to access AWS resources. Organizations running vulnerable TeamCity instances are affected.
💻 Affected Systems
- JetBrains TeamCity
📦 What is this software?
Teamcity by Jetbrains
⚠️ Risk & Real-World Impact
Worst Case
Attackers obtain AWS credentials and gain full access to AWS resources, potentially leading to data exfiltration, resource hijacking, or lateral movement within cloud infrastructure.
Likely Case
Internal attackers or compromised accounts discover exposed credentials and use them for unauthorized AWS API calls, potentially incurring costs or accessing sensitive data.
If Mitigated
With proper IAM role restrictions and credential rotation, impact is limited to temporary credential exposure with minimal permissions.
🎯 Exploit Status
Requires access to TeamCity server filesystem or ability to read Docker script files through other means.
🛠️ Fix & Mitigation
✅ Official Fix
Patch Version: 2025.07.1 or later
Vendor Advisory: https://www.jetbrains.com/privacy-security/issues-fixed/
Restart Required: No
Instructions:
1. Backup TeamCity configuration and data. 2. Download TeamCity 2025.07.1 or later from JetBrains website. 3. Follow JetBrains upgrade documentation for your deployment method. 4. Verify upgrade completed successfully.
🔧 Temporary Workarounds
Manual credential cleanup
allManually inspect and remove AWS credentials from Docker script files
grep -r 'AWS_' /path/to/teamcity/docker/scripts/
Review and sanitize any files containing credentials
🧯 If You Can't Patch
- Rotate all AWS credentials used by TeamCity immediately
- Restrict TeamCity server file access permissions to prevent unauthorized reading of script files
🔍 How to Verify
Check if Vulnerable:
Check TeamCity version in Administration → Server Administration → Server Health → VersionCheck Version:
Check TeamCity web interface or server logs for version informationVerify Fix Applied:
Verify version is 2025.07.1 or later and search Docker script directories for AWS credential patterns📡 Detection & Monitoring
Log Indicators:
- Unusual AWS API calls from TeamCity server IP
- Failed attempts to access Docker script files
Network Indicators:
- AWS API calls from unexpected locations or with unusual patterns
SIEM Query:
source="teamcity" AND ("AWS_" OR "aws_access_key" OR "aws_secret_key")