CVE-2025-68162 – This vulnerability in JetBrains TeamCity allows... (How to Fix)

Q: What is the severity of CVE-2025-68162?

CVE-2025-68162 has a CVSS score of 2.7 (LOW). This vulnerability in JetBrains TeamCity allows attackers to load malicious extensions via Maven embedder through project configuration. It affects TeamCity instances with Maven build configurations. The impact is limited to users who can modify project configurations.

📋 TL;DR

This vulnerability in JetBrains TeamCity allows attackers to load malicious extensions via Maven embedder through project configuration. It affects TeamCity instances with Maven build configurations. The impact is limited to users who can modify project configurations.

💻 Affected Systems

Products:

JetBrains TeamCity

Versions: All versions before 2025.11

Operating Systems: All supported platforms

Default Config Vulnerable: ⚠️ Yes

Notes: Requires Maven build configurations and user access to modify project settings.

📦 What is this software?

Teamcity by Jetbrains

View all CVEs affecting Teamcity →

⚠️ Risk & Real-World Impact

🔴

Worst Case

An authenticated attacker could load malicious extensions leading to arbitrary code execution within the TeamCity server context.

🟠

Likely Case

Limited privilege escalation within TeamCity environment, potentially allowing unauthorized build modifications or data access.

🟢

If Mitigated

Minimal impact with proper access controls and project configuration restrictions in place.

🌐 Internet-Facing: MEDIUM - Requires authentication but could be exploited if credentials are compromised.

🏢 Internal Only: MEDIUM - Internal users with project configuration access could exploit this vulnerability.

🎯 Exploit Status

Public PoC: ✅ No

Weaponized: UNKNOWN

Unauthenticated Exploit: ✅ No

Complexity: MEDIUM

Requires authenticated access to TeamCity and knowledge of Maven configuration.

🛠️ Fix & Mitigation

✅ Official Fix

Patch Version: 2025.11 or later

Vendor Advisory: https://www.jetbrains.com/privacy-security/issues-fixed/

Restart Required: Yes

Instructions:

1. Download TeamCity 2025.11 or later from JetBrains website. 2. Backup current installation. 3. Stop TeamCity service. 4. Install new version. 5. Restart TeamCity service. 6. Verify upgrade completed successfully.

🔧 Temporary Workarounds

Restrict project configuration access

all

Limit which users can modify Maven project configurations to trusted administrators only.

Disable Maven embedder if unused

all

Remove or disable Maven build configurations if not required for your workflow.

🧯 If You Can't Patch

Implement strict access controls on project configuration permissions
Monitor for unusual Maven extension loading or configuration changes

🔍 How to Verify

Check if Vulnerable:

Check TeamCity version in Administration → Server Administration → Global Settings. If version is earlier than 2025.11, system is vulnerable.

Check Version:

Check TeamCity web interface at Administration → Server Administration → Global Settings

Verify Fix Applied:

After upgrade, verify version shows 2025.11 or later in Administration → Server Administration → Global Settings.

📡 Detection & Monitoring

Log Indicators:

Unusual Maven extension loading
Unexpected project configuration changes
Authentication logs showing unauthorized configuration access attempts

Network Indicators:

Unusual outbound connections from TeamCity server during builds
Unexpected Maven repository connections

SIEM Query:

source="teamcity" AND ("extension load" OR "maven embedder" OR "project configuration modified")

📊 Metadata

CVE ID: CVE-2025-68162

CVSS v3 Score: 2.7 (LOW)

CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:N/I:L/A:N

CWE: CWE-829

EPSS Score: 0% exploit probability (0th percentile)

Published: December 16, 2025

Last Updated: December 18, 2025

🔗 References

https://www.jetbrains.com/privacy-security/issues-fixed/ Vendor Advisory

📤 Share & Export

📄 Export Markdown 📋 Export JSON

🔗 Related Vulnerabilities

If you're affected by CVE-2025-68162, you might also want to check these: