Researchers have warned that threat actors are actively exploiting a critical vulnerability in a widely-used open source file sharing app.
A report from vulnerability intelligence platform VulnCheck warned that potentially thousands of instances of ProjectSend are impacted by a serious flaw rated 9.8 on the CVSS.
ProjectSend is an open source file sharing web application used by businesses to securely share files with clients, which VulnChecks described as “moderately popular” with 1,500 stars on GitHub and more than 4,000 instances indexed by Censys.
The flaw, CVE-2024-11680, is an improper authentication issue that could be exploited by remote attackers using crafted HTTP requests, enabling unauthorized modification of the app configuration.
The NVD description warns successful exploitation could allow attackers to create accounts, upload webshells, and embed malicious JavaScript.The issue was originally uncovered by researchers at Synacktiv, who disclosed the flaw to ProjectSend in January 2023.
The advisory, released by Synacktiv in July 2024, said the flaw could allow attackers to perform sensitive actions such as enabling user registration and auto validation, or adding new entries in the whitelist of allowed extensions for uploaded files.
Ultimately this would allow threat actors to execute arbitrary PHP code on the server hosting the application.
The issue affects versions of ProjectSend before r1720, with VulnCheck noting that although the CVE was published a few days ago on 26 November 2024, a patch neutralizing the flag has been available for over a year, released on 16 May 2023.
Despite this, VulnCheck found 99% of ProjectSend instances remain vulnerable and had not upgraded to the patched version.
ProjectSend exploitation likely due to “abysmal patch rate”
The report noted that since the patch was released multiple threat intelligence firms published exploits, but there was no CVE published, speculating the criminals have been using these exploits in their attacks.
“Since the patch release, multiple exploits have been published by Synactiv, Project Discovery (Nuclei), and Rapid7 (Metasploit). The lack of a CVE is an oversight that stands out, particularly given Rapid7’s status as a CNA (CVE Numbering Authority) with Researcher and Open Source scope.”
VulnCheck said it discovered threat actors were exploiting the vulnerability in the wild, after it noticed a change in the landing pages of public-facing ProjectSend servers.
“VulnCheck noticed that public-facing ProjectSend servers had started to change their landing page titles to long, random-ish strings. Some of the “random” names have larger groupings,” the report explained.
“These long and random-ish names are in line with how both Nuclei and Metasploit implement their vulnerability testing logic. Both exploit tools modify the victim’s configuration file to alter the sitename (and therefore HTTP title) with a random value.”
These random titles started appearing in September, according to VulnCheck just as the Metasploit and Nuclei exploits were made public.
In light of the timeline of events and the given evidence of exploitation, VulnCheck said it was safe to assume that exploitation was widespread, and “if not now, then in the near future due considering the abysmal patching rates.”
The report concluded that due to the absence of a CVE assignment, centralised documentation on the flaw was severely lacking, emphasizing the importance that security companies follow the necessary steps to keep the industry informed and protected.
“With the CVE now assigned and evidence of ongoing exploitation, it is crucial for security companies to assess their customers’ exposure, implement necessary remediations, and conduct incident response activities as needed.”
