Critical authentication bypass vulnerability in ProjectSend is actively exploited
Take action: If you are using ProjectSend, time for strong urging has passed. PATCH YESTERDAY. If not possible, patch today - because everyone has the exploit and it's being actively used to hack your systems.
Learn More
A critical authentication bypass vulnerability in ProjectSend, an open-source PHP-based file sharing application, is currently under active exploitation. ProjectSend is designed for file sharing, enabling users to create client groups, assign user roles, and access statistics, detailed logs and notifications.
The vulnerability is tracked as CVE-2024-11680 (CVSS score 9.8) and is an improper authentication vulnerability that could allow remote, unauthenticated attackers to modify the application's configuration. Some of the application's PHP pages would perform authorization checks only after executing the rest of the code, essentially allowing unauthenticated users to perform privileged operations. Attackers could send crafted HTTP requests to the options.php endpoint to create rogue accounts, upload webshells, and potentially embed malicious JavaScript code.
The vulnerability was discovered and reported by Synacktiv in January 2023, with a patch commit pushed to ProjectSend's GitHub repository in May 2023. However, the official patch wasn't released until August 2024 with version r1720.
Project Discovery (Nuclei), and Rapid7 (Metasploit) have released public exploits targeting CVE-2024-11680, and attackers appear to have adopted them in attacks starting September. VulnCheck has observed that public-facing ProjectSend servers had started to change their landing page titles to long, random-ish strings, indicating active exploitation.
Of the approximately 4,000 ProjectSend instances indexed by Censys, about 55% are running version r1605 (confirmed vulnerable), 44% are using an unnamed release from April 2023, and only 1% are running the patched version. The vulnerability affects version r1605 but likely impacts all iterations down to r1270.
Attackers are enabling user registration to obtain post-authentication privileges, resulting in the landing page prompting visitors to register an account. VulnCheck suggests that attackers are likely installing webshells in the "upload/files/" directory off of the webroot, and there's potential for embedding malicious JavaScript as an alternative attack vector.
Given the timeline, evidence of exploitation, and lack of patch adoption, VulnCheck assumes that exploitation is likely widespread and could increase in the near future, considering the abysmal patching rates. Organizations using ProjectSend are strongly advised to upgrade to version r1720 or later immediately to protect against this actively exploited vulnerability.
