Exploitation of ProjectSend Authentication Vulnerability Discovered in the Wild

Home/Compromised, Exploitation, Internet Security, Security Advisory, Security Update, Tips, vulnerability/Exploitation of ProjectSend Authentication Vulnerability Discovered in the Wild

Exploitation of ProjectSend Authentication Vulnerability Discovered in the Wild

ProjectSend, an open-source file-sharing web app, is actively being exploited after CVE-2024-11680 was assigned on November 25, 2024. Despite a patch being available for over a year, many instances remain vulnerable due to low adoption rates.

ProjectSend Authentication Vulnerability

ProjectSend has around 1,500 GitHub stars and over 4,000 instances listed by Censys.

A vulnerability in its authentication system, revealed by Synactiv in January 2023, allows attackers to change core settings and potentially escalate privileges after logging in.

This flaw allows attackers to embed malicious JavaScript or upload webshells to compromised instances.

A fix was released on May 16, 2023, but the CVE assignment was delayed until November 2024, reducing awareness.

Exploitation tools from Synactiv, Project Discovery (Nuclei), and Rapid7 (Metasploit) have also made it easier for attackers to exploit this vulnerability.

Exploitation Timeline

  • January 19, 2023: Vulnerability disclosed by Synactiv to ProjectSend.
  • May 16, 2023: ProjectSend releases an initial patch.
  • July 19, 2024: Synactiv publishes a security advisory.
  • August 30, 2024: Metasploit pull request demonstrating exploitation is submitted.
  • November 25, 2024: CVE-2024-11680 is officially assigned.

Signs of exploitation surfaced in September 2024, following the release of Metasploit and Nuclei vulnerability checks.

Researchers noted that public-facing ProjectSend instances began changing their landing page titles to random strings, a sign of these exploit tools being used.

More worrying is that attackers have been enabling non-default user registration settings after authentication, giving them elevated privileges.

In many cases, attackers went further, uploading webshells or running malicious scripts. These webshells were found in common file paths (upload/files/) and could be tracked through server logs for direct file access.

Despite the patch being available for over a year, patch adoption remains low. A VulnCheck analysis using Shodan data found:

  • 1% of instances are on the latest patched version (r1750).
  • 99% are outdated, with 55% running a version from October 2022.

This slow adoption has left many systems vulnerable to exploitation, which could increase as awareness spreads.

The VulnCheck report emphasizes the critical need for timely patching, centralized vulnerability tracking, and strong incident response.

Organizations using ProjectSend should quickly assess their systems for exposure, upgrade to version r1750, and monitor logs for signs of compromise. As exploitation grows, proactive measures are crucial to mitigate this rising security threat.

‍Follow Us on: Twitter, InstagramFacebook to get the latest security news!

By | 2024-11-28T23:50:33+05:30 November 27th, 2024|Compromised, Exploitation, Internet Security, Security Advisory, Security Update, Tips, vulnerability|

About the Author:

FirstHackersNews- Identifies Security

Leave A Comment

Subscribe to our newsletter to receive security tips everday!