A critical security flaw affecting the open-source file-sharing program ProjectSend is likely to be actively exploited in the wild, according to findings by VulnCheck.
The vulnerability, originally patched over a year and a half ago as part of a to commit released in May 2023, not officially available until August 2024. along with Release of version r1720. As of November 26, 2024, it has been assigned a CVE ID CVE-2024-11680 (CVSS Score: 9.8).
Synacktiv, which reported the flaw to project developers in January 2023, described it as an improper authorization check that would allow an attacker to execute malicious code on sensitive servers.
“In ProjectSend version r1605, an improper authorization check was discovered that could allow an attacker to perform sensitive actions, such as enabling user registration and automatic verification or adding new entries to the whitelist of allowed file extensions for uploaded files,” according to a report published in July 2024 .
“Ultimately, this allows you to execute arbitrary PHP code on the server that hosts the application.”
VulnCheck reports that unknown threat actors targeting public ProjectSend servers have been observed using exploit code released by Project Discovery and Rapid7. It is believed that the exploitation attempts began in September 2024.
The attacks were also found to allow the user registration feature to gain privileges after authentication for further use, indicating that they are not limited to scanning vulnerable instances.
“We’re probably in ‘webshell attacker’ territory (technically, the vulnerability also allows an attacker to embed malicious JavaScript, which could be an interesting and different attack scenario),” said VulnCheck’s Jacob Baines.
“If an attacker has downloaded a webshell, it can be found in a predictable location in downloads/files/ outside of the web directory.”
An analysis of the ProjectSend servers open on the Internet showed that only 1% of them are running the patched version (r1750), and all other instances are running either the unnamed release or r1605, which was released in October 2022.
In light of what appears to be widespread exploitation, users are encouraged to apply the latest patches as soon as possible to mitigate the active threat.
