A critical security flaw impacting the ProjectSend open-source file-sharing application has likely come under active exploitation in the wild, according to findings from VulnCheck.
The vulnerability, originally patched over a year-and-a-half ago as part of a commit pushed in May 2023 , was not officially made available until August 2024 with the release of version r1720. As of November 26, 2024, it has been assigned the CVE identifier CVE-2024-11680 (CVSS score: 9.8).
Synacktiv, which reported the flaw to the project maintainers in January 2023, described it as an improper authorization check that allows an attacker to execute malicious code on susceptible servers.
“An improper authorization check was identified within ProjectSend version r1605 that allows an attacker to perform sensitive actions such as enabling user registration and auto validation, or adding new entries in the whitelist of allowed extensions for uploaded files,” it said in a report published in July 2024.
“Ultimately, this allows to execute arbitrary PHP code on the server hosting the application.”
VulnCheck said it observed unknown threat actors targeting public-facing ProjectSend servers being targeted by leveraging exploit code released by Project Discovery and Rapid7. The exploitation attempts are believed to have commenced in September 2024.
The attacks have also been found to enable the user registration feature to gain post-authentication privileges for follow-on exploitation, indicating that they are not confined to scanning for vulnerable instances.
“We are likely in the ‘attackers installing web shells’ territory (technically, the vulnerability also allows the attacker to embed malicious JavaScript, too, which could be an interesting and different attack scenario),” VulnCheck’s Jacob Baines said.
“If an attacker has uploaded a web shell, it can be found in a predictable location in upload/files/ off of the webroot.”
An analysis of internet-exposed ProjectSend servers has revealed that a mere 1% of them are using the patched version (r1750), with all the remaining instances running either an unnamed release or version r1605, which came out in October 2022.
In light of what appears to be widespread exploitation, users are recommended to apply the latest patches as soon as possible to mitigate the active threat.