Critical Vulnerability in ProjectSend Exposes Public Servers to Attacks

Cybersecurity experts are raising alarms about a critical vulnerability in ProjectSend, an open-source file-sharing application widely used by businesses and organizations to share sensitive files securely.

This flaw, identified as CVE-2024-11680, has a dangerously high CVSS score of 9.8, signaling its severe risk level. Even more concerning, attackers are actively exploiting it, exposing public servers to potential attacks.

Key Takeaway:

• A critical vulnerability in ProjectSend is actively being exploited, highlighting the urgency for users to patch their systems immediately.

What Is the Critical Vulnerability in ProjectSend?

The vulnerability in ProjectSend stems from an improper authorization check in older versions of the software, specifically version r1605, released in October 2022.

This flaw allows attackers to execute malicious actions on unpatched servers, such as enabling unauthorized user registrations, modifying file upload permissions, and even executing arbitrary PHP code.

Synacktiv, a cybersecurity firm, first reported the flaw to ProjectSend maintainers in January 2023.

While the vulnerability was patched in May 2023, the official fix wasn’t rolled out until version r1720 in August 2024, leaving a significant window of opportunity for exploitation.

How the Exploits Work

Threat actors are actively targeting public-facing ProjectSend servers using exploit codes released by cybersecurity platforms like Project Discovery and Rapid7.

Attack Chain Overview:

Cybersecurity researchers from VulnCheck discovered that these attackers aren’t merely scanning servers—they’re uploading web shells and embedding malicious scripts to maintain access. These attacks likely began in September 2024 and are ongoing.

Impact: ProjectSend Exposes Public Servers to Attacks

An analysis of internet-facing ProjectSend servers revealed startling statistics:

The lack of widespread adoption of the patched version (r1750) is leaving countless servers at risk. This widespread vulnerability could compromise sensitive data and allow attackers to infiltrate systems across industries.

Real-Life Example: Similar Attacks in the Past

This isn’t the first time an overlooked software flaw has led to chaos. In 2021, the infamous Apache Log4j vulnerability, dubbed “Log4Shell,” wreaked havoc globally, affecting systems across industries and prompting emergency fixes.

Much like ProjectSend, the delay in applying patches gave attackers ample time to exploit the flaw.

Why This Matters

The critical vulnerability in ProjectSend is a technical problem with a significant threat to businesses and organizations relying on this software for secure file sharing.

If attackers gain control of a compromised server, they can steal sensitive information, disrupt operations, and even use the compromised server as a launchpad for attacks on other systems.

What Should You Do Now?

• Update Immediately: Upgrade to the latest version of ProjectSend (r1750).
• Scan for Exploits: Check your system for web shells or unusual activity in the upload/files/ directory.
• Secure Your Server: Implement additional security measures, such as a firewall or intrusion detection system (IDS).
• Monitor Activity: Stay vigilant and monitor logs for unauthorized access attempts.

About ProjectSend

ProjectSend is an open-source platform designed for file sharing, offering businesses a convenient and secure way to exchange data. Its popularity stems from its ease of use and customizability, but this latest vulnerability highlights the risks associated with open-source software when patches are delayed.

Wrapping Up

The critical vulnerability in ProjectSend is a wake-up call for businesses to prioritize timely updates and proactive security measures. With attackers actively exploiting these flaws, there’s no time to waste—secure your systems today to protect your data and operations.

FAQs