Cybersecurity experts are raising alarms about a critical vulnerability in ProjectSend, an open-source file-sharing application widely used by businesses and organizations to share sensitive files securely.
This flaw, identified as CVE-2024-11680, has a dangerously high CVSS score of 9.8, signaling its severe risk level. Even more concerning, attackers are actively exploiting it, exposing public servers to potential attacks.
Key Takeaway:
- A critical vulnerability in ProjectSend is actively being exploited, highlighting the urgency for users to patch their systems immediately.
What Is the Critical Vulnerability in ProjectSend?
The vulnerability in ProjectSend stems from an improper authorization check in older versions of the software, specifically version r1605, released in October 2022.
This flaw allows attackers to execute malicious actions on unpatched servers, such as enabling unauthorized user registrations, modifying file upload permissions, and even executing arbitrary PHP code.
Synacktiv, a cybersecurity firm, first reported the flaw to ProjectSend maintainers in January 2023.
While the vulnerability was patched in May 2023, the official fix wasn’t rolled out until version r1720 in August 2024, leaving a significant window of opportunity for exploitation.
How the Exploits Work
Threat actors are actively targeting public-facing ProjectSend servers using exploit codes released by cybersecurity platforms like Project Discovery and Rapid7.
Attack Chain Overview:
| Step | Details |
|---|---|
| Phishing or Scanning | Attackers identify vulnerable ProjectSend servers via automated scans or targeted phishing. |
| Enabling User Registration | Exploit enables unauthorized user registration and auto-validation for further exploitation. |
| Web Shell Upload | Malicious files (web shells) are uploaded to the server, enabling attackers to execute commands. |
| Server Control | Full control is gained, allowing attackers to steal sensitive data or launch broader attacks. |
Cybersecurity researchers from VulnCheck discovered that these attackers aren’t merely scanning servers—they’re uploading web shells and embedding malicious scripts to maintain access. These attacks likely began in September 2024 and are ongoing.
Impact: ProjectSend Exposes Public Servers to Attacks
An analysis of internet-facing ProjectSend servers revealed startling statistics:
| Version | Usage Percentage |
|---|---|
| Patched Version (r1750) | 1% |
| Vulnerable Versions | 99% |
The lack of widespread adoption of the patched version (r1750) is leaving countless servers at risk. This widespread vulnerability could compromise sensitive data and allow attackers to infiltrate systems across industries.
Real-Life Example: Similar Attacks in the Past
This isn’t the first time an overlooked software flaw has led to chaos. In 2021, the infamous Apache Log4j vulnerability, dubbed “Log4Shell,” wreaked havoc globally, affecting systems across industries and prompting emergency fixes.
Much like ProjectSend, the delay in applying patches gave attackers ample time to exploit the flaw.
Why This Matters
The critical vulnerability in ProjectSend is a technical problem with a significant threat to businesses and organizations relying on this software for secure file sharing.
If attackers gain control of a compromised server, they can steal sensitive information, disrupt operations, and even use the compromised server as a launchpad for attacks on other systems.
What Should You Do Now?
- Update Immediately: Upgrade to the latest version of ProjectSend (r1750).
- Scan for Exploits: Check your system for web shells or unusual activity in the
upload/files/directory. - Secure Your Server: Implement additional security measures, such as a firewall or intrusion detection system (IDS).
- Monitor Activity: Stay vigilant and monitor logs for unauthorized access attempts.
About ProjectSend
ProjectSend is an open-source platform designed for file sharing, offering businesses a convenient and secure way to exchange data. Its popularity stems from its ease of use and customizability, but this latest vulnerability highlights the risks associated with open-source software when patches are delayed.
Wrapping Up
The critical vulnerability in ProjectSend is a wake-up call for businesses to prioritize timely updates and proactive security measures. With attackers actively exploiting these flaws, there’s no time to waste—secure your systems today to protect your data and operations.
FAQs
What makes CVE-2024-11680 so dangerous?
The vulnerability allows attackers to take complete control of a server, execute malicious code, and steal sensitive data, making it a high-risk threat.
How do I know if my ProjectSend server is vulnerable?
If you’re using a version earlier than r1750, your server is likely vulnerable. Check your server logs for unusual activity or exploit attempts.
Can the vulnerability affect non-public servers?
While public-facing servers are the primary targets, attackers could exploit internal servers if they gain access to your network.
What happens if I don’t patch my system?
Unpatched systems are at risk of being exploited, leading to data breaches, financial losses, or damage to your organization’s reputation.
