Introduction
ProjectSend [1] [2] [3] [4] [5] [6] [7] [8] [9] [10] [11], a widely-used open-source file-sharing web application [2] [4] [6] [8] [10], is currently facing significant security challenges due to a critical authentication vulnerability, identified as CVE-2024-11680 [10] [11]. This vulnerability has been actively exploited, allowing unauthorized access and modifications, posing severe risks to users and systems.
Description
Public-facing instances of ProjectSend [2], a widely-used open-source file-sharing web application [2] [4] [6] [8] [10], have been actively exploited due to a critical authentication vulnerability identified as CVE-2024-11680. This flaw, reported by Synactiv in January 2024 and rated 9.8 on the CVSS, allows remote [4] [7] [8] [11], unauthenticated attackers to bypass authentication through crafted HTTP requests sent to options.php, leading to unauthorized modifications of the application’s configuration [4] [7] [8]. Such exploitation enables attackers to create rogue accounts [8], upload webshells [4] [7] [8] [10], and inject malicious JavaScript [7] [8] [10]. Notably, exploitation began prior to the CVE assignment and intensified in late August and early September 2024, facilitated by public tools like Nuclei templates and a Metasploit module published by Rapid7 before the CVE was officially disclosed on November 26, 2024.
The vulnerability affects all versions of ProjectSend prior to r1750 [8], with data from Shodan indicating that only 1% of instances are running the patched version [7] [10], which was released on August 3, 2024, in version r1720 [3] [5] [10] [11]. Alarmingly, over 4,000 servers remain accessible from the internet, with 55% still using the vulnerable r1605 version from October 2022 [11], while 44% are on an unnamed release from April 2023 [11]. Despite a patch being available since May 16, 2023 [7] [11], a report from vulnerability intelligence provider VulnCheck reveals that 99% of ProjectSend instances remain unpatched. VulnCheck has observed signs of exploitation in the wild [11], with public-facing ProjectSend servers displaying altered landing page titles [7] [11], often changed to long random strings, indicative of the exploitation tools being used. Evidence suggests that attackers are currently installing webshells through this vulnerability [4], frequently enabling user registration settings—a non-default feature—that allows them to gain post-authentication privileges. This shift indicates a move from mere testing to potentially embedding malicious JavaScript.
The attacks have originated from at least 100 different IP addresses [9], indicating involvement from multiple groups and individual hackers [9]. Attackers often leave traces [10], such as webshells in predictable locations within the upload/files/ directory [10], with filenames based on upload timestamps [7], username hashes [7], and original file names [7]. The exploitation frequently leads to unauthorized user registration. Administrators are advised to review server access logs for any direct access to the upload/files/ directory [1], apply the patch to version r1750 or higher [10], disable unnecessary features like user registration [10], and monitor for anomalous activity on public-facing servers [10]. The lack of centralized documentation on this flaw underscores the need for security companies to assess their customers’ exposure and implement necessary remediations. ProjectSend was created by Ignacio Nelson and is maintained by a group of over 50 contributors [2], receiving support from 1,500 individuals on GitHub [2]. Immediate action is essential to mitigate the risks associated with CVE-2024-11680 and its ongoing exploitation [10].
Conclusion
The ongoing exploitation of CVE-2024-11680 in ProjectSend highlights the critical need for immediate action to mitigate potential risks. Administrators must prioritize patching to version r1750 or higher, disable unnecessary features [10], and monitor for unusual activities [10]. The widespread nature of this vulnerability and its exploitation underscores the importance of proactive security measures and the need for comprehensive documentation and support from security companies to protect against future threats.
References
[1] https://www.cert.be/en/advisory/warning-auth-vulnerability-projectsend-cve-2024-11680-actively-exploited-patch-immediately
[2] https://www.infosecurity-magazine.com/news/exploit-projectsend-critical/
[3] https://www.security.nl/posting/867180/Securitybedrijf+meldt+actief+misbruik+van+kritiek+ProjectSend-lek
[4] https://insight.scmagazineuk.com/cve-created-for-18-month-old-flaw
[5] https://cyber.vumetric.com/security-news/2024/11/27/critical-flaw-in-projectsend-under-active-exploitation-against-public-facing-servers/
[6] https://osintcorp.net/malicious-actors-exploit-projectsend-critical-vulnerability/
[7] https://securityaffairs.com/171494/hacking/projectsend-critical-flaw-actively-exploited.html
[8] https://www.itpro.com/security/cyber-crime/researchers-sound-alarm-over-hackers-exploiting-critical-projectsend-vulnerability
[9] https://www.techradar.com/pro/security/projectsend-security-flaws-hit-to-access-background-servers
[10] https://securityonline.info/cve-2024-11680-cvss-9-8-critical-projectsend-vulnerability-actively-exploited-poc-published/
[11] https://cybersecuritynews.com/projectsend-authentication-vulnerability/