A critical security vulnerability in the open-source file-sharing application ProjectSend is reportedly being actively exploited, according to findings by VulnCheck.

The flaw, assigned CVE-2024-11680 with a CVSS score of 9.8, was initially patched through a commit in May 2023 but was not made publicly available until the release of version r1720 in August 2024. The issue, identified by Synacktiv in January 2023, pertains to improper authorization checks, enabling attackers to execute malicious code on affected servers.

Vulnerability Details

Synacktiv described the flaw in ProjectSend version r1605 as follows:

• Authorization Bypass: Attackers can perform sensitive actions, such as:
• Enabling user registration and auto-validation.
• Adding new file extensions to the upload whitelist.
• Impact: These actions allow the execution of arbitrary PHP code on the server hosting the application.

The flaw poses a severe risk to public-facing servers, allowing attackers to manipulate server configurations and deploy malicious payloads.

Exploitation Activity

VulnCheck observed active exploitation beginning in September 2024, leveraging public exploit code released by Project Discovery and Rapid7. Notable tactics include:

• Enabling User Registration: Attackers gain post-authentication privileges for further exploitation.
• Web Shell Installation: Attackers deploy web shells, often located in a predictable directory under upload/files/ within the webroot.
• JavaScript Injection: The vulnerability also enables attackers to embed malicious JavaScript, offering alternative attack vectors.

These actions indicate that exploitation extends beyond basic vulnerability scanning, highlighting targeted and persistent attacker behavior.

Current Exposure

An analysis of roughly 4,000 ProjectSend servers exposed on the internet revealed:

• Only 1% of servers are running the patched version r1750.
• The majority are running either an unnamed release or the vulnerable version r1605 from October 2022.

Recommendations

Given the scale of active exploitation, it is critical for users to:

1. Update Immediately: Apply the latest patch (version r1750) to secure your installation.
2. Scan for Web Shells: Check the upload/files/ directory for potential malicious files.
3. Harden Security: Limit public-facing server exposure and monitor for unauthorized changes or suspicious activity.

The exploitation of this vulnerability underscores the importance of maintaining updated software and promptly addressing known security issues to minimize risk.