Hackers are actively exploiting a critical authentication vulnerability in ProjectSend, a popular open-source file-sharing web application.
The vulnerability, now identified as CVE-2024-11680, allows remote, unauthenticated attackers to bypass authentication and modify the application’s configuration, potentially leading to unauthorized account creation, webshell uploads, and malicious JavaScript injection.
Despite the patch being available since May 16, 2023, the CVE was only assigned on November 26, 2024, leaving many systems exposed for over a year.
The delay in CVE assignment is particularly notable given that Rapid7, a CVE Numbering Authority, had already published a Metasploit module for this vulnerability.
Security researchers at VulnCheck have observed clear signs of exploitation in the wild. Public-facing ProjectSend servers have been found with altered landing page titles, consistent with the behavior of both Nuclei and Metasploit exploit tools.
Technical Analysis
These tools modify the victim’s configuration file to change the site name, resulting in long, random-like strings appearing in HTTP titles.
More alarmingly, attackers are not limiting themselves to mere vulnerability testing. VulnCheck has noted widespread enabling of user registration settings, a non-default configuration that allows attackers to gain post-authentication privileges.
This suggests that malicious actors are likely moving beyond testing and potentially installing webshells or embedding malicious JavaScript. The vulnerability’s impact is exacerbated by poor patch adoption rates.
VulnCheck’s analysis of internet-facing ProjectSend instances revealed that only 1% are running the patched version (r1750). A staggering 55% are still using the vulnerable r1605 version released in October 2022, while 44% are on an unnamed release from April 2023.
.webp)
Given the timeline of events, available exploits, and low patch adoption, security experts believe that exploitation is likely widespread and could increase significantly in the near future.
.webp)
The vulnerability allows attackers to send crafted HTTP requests to options.php, enabling unauthorized modification of the application’s configuration.
Organizations using ProjectSend are strongly advised to immediately upgrade to version r1720 or later to mitigate this critical security risk.
Additionally, security teams should assess their exposure, implement necessary remediations, and conduct thorough incident response activities to detect any potential compromises.
This incident underscores the importance of prompt patching and the need for better coordination in vulnerability disclosure and CVE assignment processes.
As the threat landscape continues to evolve, staying vigilant and maintaining up-to-date security measures remains crucial for organizations of all sizes.