JetBrains said its customers are reporting a range of exploitation activity linked to critical vulnerabilities in the on-premises version of TeamCity, as it defends its disclosure policies in a blog released Monday.

JetBrains earlier this month notified customers about the two authentication bypass vulnerabilities, listed as CVE-2024-27198 and CVE-2024-27199, which threat actors are exploiting. As JetBrains disclosed the vulnerabilities, a public dispute broke out between the company and security researchers at Rapid7, which originally reported the flaws to JetBrains on Feb. 20.

JetBrains released an updated version of TeamCity on March 4, along with a security patch for customers that could not upgrade to the latest build. Rapid7, however, released its own report just hours after the release of the JetBrains patch.

“We have received multiple reports from customers whose servers were compromised, as they weren’t able to patch or update in time,” a spokesperson for JetBrains said via email. 

Rapid7 criticized JetBrains for releasing the patch without properly coordinating with the security firm. Rapid7 on Monday said it stands by its disclosure policies, via email. 

What is evident is that exploitation activity is ongoing, according to multiple industry observers. However, the pace in recent days has begun to slow.

Shadowserver previously reported exploitation activity against CVE-2024-27198 starting on March 4. Shadowserver officials reported 1,182 possibly vulnerable instances as of March 6 and about 700 as of Sunday.  

The Cybersecurity and Infrastructure Security Agency on Thursday added CVE-2024-27198 to its Known Exploited Vulnerabilities catalog. CISA urged organizations to review the JetBrains mitigation guidance and apply security upgrades. 

Researchers at GuidePoint said the threat group BianLian exploited CVE-2024-27198 and CVE-2023-42793 for initial access into a vulnerable TeamCity server. The threat group then implemented a novel backdoor using PowerShell.