Critical ProjectSend Flaw Under Exploitation: Act Now!
Critical Security Flaw in ProjectSend Exposed: Urgent Patch Needed
A significant security vulnerability in the open-source file-sharing application, ProjectSend, has come to light, with reports indicating that it is actively being exploited in the wild. Identified as CVE-2024-11680, this flaw carries a high CVSS score of 9.8 and was initially patched in May 2023. However, the official fix wasn’t released until August 2024, making it crucial for users to update their systems without delay.
Understanding CVE-2024-11680: The Vulnerability Explained
According to findings from VulnCheck, the vulnerability stems from an improper authorization check in ProjectSend version r1605. This flaw allows attackers to execute malicious code on vulnerable servers. Synacktiv, which reported the issue to the maintainers in January 2023, highlighted that the vulnerability could enable unauthorized actions such as:
- Activating user registration and auto-validation features
- Adding new entries to the whitelist for uploaded file extensions
This scenario ultimately allows attackers to execute arbitrary PHP code on the affected servers, leading to severe security risks.
Active Exploitation Observed in the Wild
VulnCheck has observed that threat actors are targeting publicly accessible ProjectSend servers. The exploitation attempts reportedly began in September 2024, using exploit code released by Project Discovery and Rapid7. These attacks not only focus on identifying vulnerable instances but also leverage the user registration feature to gain post-authentication privileges, enabling further exploitation.
Jacob Baines from VulnCheck noted, “We are likely in the ‘attackers installing web shells’ territory.” This indicates that the vulnerability may allow attackers to embed malicious JavaScript, presenting a multifaceted threat.
Current State of ProjectSend Servers
An analysis of approximately 4,000 internet-exposed ProjectSend servers revealed alarming statistics: only 1% of these servers are operating on the patched version (r1750). The majority are still using older, vulnerable releases, particularly version r1605, which was released in October 2022.
Immediate Action Required for Users
Given the widespread exploitation of this vulnerability, it is imperative for ProjectSend users to apply the latest patches as soon as possible. Delaying this crucial update could result in significant security breaches and unauthorized access to sensitive data.
For more information on securing your ProjectSend installation, visit the official ProjectSend documentation.
Stay Informed and Secure
Did you find this article helpful? Share your thoughts in the comments below, and don’t forget to check out our related articles for more insights on cybersecurity trends and best practices. Follow us on Twitter and LinkedIn to stay updated with the latest security news.