ProjectSend, an open-source file-sharing web app, is actively being exploited after CVE-2024-11680 was assigned on November 25, 2024. Despite a patch being available for over a year, many instances remain vulnerable due to low adoption rates.
ProjectSend Authentication Vulnerability
ProjectSend has around 1,500 GitHub stars and over 4,000 instances listed by Censys.
A vulnerability in its authentication system, revealed by Synactiv in January 2023, allows attackers to change core settings and potentially escalate privileges after logging in.
This flaw allows attackers to embed malicious JavaScript or upload webshells to compromised instances.
A fix was released on May 16, 2023, but the CVE assignment was delayed until November 2024, reducing awareness.
Exploitation tools from Synactiv, Project Discovery (Nuclei), and Rapid7 (Metasploit) have also made it easier for attackers to exploit this vulnerability.
Exploitation Timeline
- January 19, 2023: Vulnerability disclosed by Synactiv to ProjectSend.
- May 16, 2023: ProjectSend releases an initial patch.
- July 19, 2024: Synactiv publishes a security advisory.
- August 30, 2024: Metasploit pull request demonstrating exploitation is submitted.
- November 25, 2024: CVE-2024-11680 is officially assigned.
Signs of exploitation surfaced in September 2024, following the release of Metasploit and Nuclei vulnerability checks.
Researchers noted that public-facing ProjectSend instances began changing their landing page titles to random strings, a sign of these exploit tools being used.
More worrying is that attackers have been enabling non-default user registration settings after authentication, giving them elevated privileges.
In many cases, attackers went further, uploading webshells or running malicious scripts. These webshells were found in common file paths (upload/files/) and could be tracked through server logs for direct file access.
Despite the patch being available for over a year, patch adoption remains low. A VulnCheck analysis using Shodan data found:
- 1% of instances are on the latest patched version (r1750).
- 99% are outdated, with 55% running a version from October 2022.
This slow adoption has left many systems vulnerable to exploitation, which could increase as awareness spreads.
The VulnCheck report emphasizes the critical need for timely patching, centralized vulnerability tracking, and strong incident response.
Organizations using ProjectSend should quickly assess their systems for exposure, upgrade to version r1750, and monitor logs for signs of compromise. As exploitation grows, proactive measures are crucial to mitigate this rising security threat.
Follow Us on: Twitter, Instagram, Facebook to get the latest security news!
Leave A Comment