A critical vulnerability has been discovered in the popular open-source file-sharing application ProjectSend, which, according to VulnCheck, is being actively exploited by malicious actors. This issue affects servers running outdated software, enabling hackers to execute malicious code.
The vulnerability, identified as CVE-2024-11680, carries a critical severity rating of CVSS 9.8. Although a fix was initially introduced through a GitHub commit in May 2023, the official patch addressing the flaw was not released until August 2024 with the launch of version r1720.
Synacktiv, the cybersecurity firm that reported the issue to ProjectSend’s developers in January 2023, described the flaw as a lack of proper authorization checks. This weakness allows attackers to enable the registration of new users, modify parameters in the whitelisted extensions for uploaded files, and execute arbitrary PHP code.
Since September 2024, VulnCheck experts have observed exploit activity using tools from Project Discovery and Rapid7 to target publicly accessible ProjectSend servers. These attacks include the deployment of malicious web shells and other tactics such as injecting harmful JavaScript.
Jacob Baines, a researcher at VulnCheck, noted that the uploaded web shells are often placed in predictable locations, such as the upload/files/ directory on the server, simplifying their discovery and exploitation by attackers.
An analysis of approximately 4,000 internet-connected servers revealed that only 1% are running the current secure version of ProjectSend. The majority are operating on outdated releases, including version r1605, which dates back to October 2022.
Given the escalating threat, experts strongly advise server administrators to promptly install the latest updates to safeguard their systems from potential attacks.
