• Posted by: Michael Johnson
• November 28, 2024

Critical Vulnerability in ProjectSend File-Sharing App Under Active Exploitation

A high-severity security vulnerability (CVE-2024-11680, CVSS score: 9.8) affecting the open-source file-sharing application ProjectSend has come under active exploitation, according to findings by VulnCheck.

The vulnerability, which allows attackers to execute arbitrary PHP code, stems from an improper authorization check in ProjectSend version r1605. Although the issue was reported in January 2023 by Synacktiv and patched in May 2023, the fix was not formally included in an official release until August 2024 (version r1720).

Vulnerability Details

Synacktiv's report highlighted how attackers could exploit the flaw to:

1. Enable user registration and auto-validation for unauthorized access.
2. Add malicious entries to the whitelist of allowed file extensions.
3. Execute arbitrary PHP code on servers hosting ProjectSend.

This can result in attackers installing web shells, embedding malicious JavaScript, or conducting follow-up exploitation.

Active Exploitation Observed

Since September 2024, threat actors have been targeting public-facing ProjectSend servers using exploit code made available by Project Discovery and Rapid7. According to VulnCheck, the attacks are not limited to scanning but actively enable features like user registration to gain further access.

"We are likely in the 'attackers installing web shells' territory," said Jacob Baines of VulnCheck. "These can often be found in predictable locations like upload/files/ off the webroot."

Adoption of the Patch

An analysis of approximately 4,000 internet-exposed ProjectSend servers revealed that only 1% of instances are running the latest patched version (r1750). The majority of servers are using either an unnamed release or the outdated r1605 version from October 2022.

Mitigation Steps

Given the active exploitation and critical nature of this flaw, organizations using ProjectSend are urged to:

1. Upgrade immediately to version r1750 or the latest release.
2. Scan for malicious files or web shells in the upload/files/ directory.
3. Disable features like user registration if not needed.
4. Regularly monitor and secure server configurations to prevent unauthorized access.

The exploitation of CVE-2024-11680 underscores the risks of delayed patch adoption in open-source applications. Organizations should prioritize applying updates and monitoring for unusual server activity to mitigate the risk of compromise.