ProjectSend, an open-source file-sharing web application, has been exploited by attackers using an improper authentication vulnerability since the start of 2024.
Exploiting this vulnerability allows the attackers to enable unauthorized modification of the application’s configuration by remotely sending crafted HTTP requests to options.php. This can enable them to create accounts, upload webshells, and embed malicious JavaScript.
VulnCheck assigned a CVE-2024-11680 with a CVSS score of 9.8. Although a fix for this issue was released on May 16, 2023, the CVE assignment was delayed until November 2024.
The VulnCheck Initial Access team developed a scanner to fingerprint the versions of ProjectSend internet-facing systems. It found that only 1% of users were using the patched version (r1750), and 99% of users haven’t patched it
ProjectSend released an official patch version in August.S ince the patch release, multiple exploits have been published by Synactiv, Project Discovery (using Nuclei), and Rapid7 (using Metasploit).
Even in November, many public-facing ProjectSend instance servers had started changing their landing page titles to long, suspicious-looking strings. Upon investigating where this abnormal behavior came from, it’s concluded that attackers actively intended to exploit the vulnerability.
Organizations using ProjectSend should immediately assess their systems for exposure, upgrade to the latest version (r1750), and monitor logs for signs of compromise.
Exploitation Timeline
- January 19, 2023: Vulnerability disclosed by Synactiv to ProjectSend.
- May 16, 2023: ProjectSend releases an initial patch.
- July 19, 2024: Synactiv publishes a security advisory.
- August 30, 2024: Metasploit pull request demonstrating exploitation is submitted.
- November 25, 2024: CVE-2024-11680 is officially assigned.
