A significant security vulnerability in the ProjectSend open-source file-sharing application is reportedly being actively exploited, as indicated by recent research from VulnCheck. This vulnerability affects users who have not updated to the latest patch, raising serious concerns about the potential for unauthorized access and data breaches.
The flaw was first addressed over a year ago during a code update released in May 2023 but was not publicly documented until the release of version r1720 in August 2024. This vulnerability, now documented under the CVE identifier CVE-2024-11680 and assigned a CVSS score of 9.8, highlights serious risks for affected systems.
The flaw was first reported by Synacktiv in January 2023, who identified it as an improper authorization check that could allow attackers to execute remote code on vulnerable servers. This comprises actions such as enabling unauthorized user registrations, auto-validating users, or modifying whitelists for file uploads. Such exploitations can lead to the execution of arbitrary PHP code, giving attackers considerable control over the server environment.
VulnCheck has documented targeted attacks on public-facing ProjectSend installations, utilizing exploit code made available by security research entities like Project Discovery and Rapid7. These activities are believed to have started in September 2024, indicating that attackers are moving quickly to leverage this vulnerability.
Further investigations reveal that these attacks facilitate user registration, ultimately granting attackers post-authentication privileges. This indicates that the threat actors are not merely scanning for vulnerabilities; they are engaging in deeper infiltration attempts. Jacob Baines from VulnCheck noted that the exploitation has advanced to a stage where attackers could install web shells or inject malicious scripts, which significantly heightens the risk for organizations using this software.
An analysis of approximately 4,000 exposed ProjectSend servers indicates that only about 1% have upgraded to the latest patched version (r1750). The majority remain susceptible, running either outdated versions or even the unreleased r1605 from October 2022. Given the scale of ongoing exploitation, it is imperative that organizations using ProjectSend take immediate action to apply the necessary updates to secure their applications.
