A important security flaw impacting the ProjectSend open-source file-sharing software has seemingly come underneath energetic exploitation within the wild, in accordance with findings from VulnCheck.
The vulnerability, initially patched over a year-and-a-half in the past as a part of a commit pushed in Could 2023 , was not formally made out there till August 2024 with the discharge of model r1720. As of November 26, 2024, it has been assigned the CVE identifier CVE-2024-11680 (CVSS rating: 9.8).
Synacktiv, which reported the flaw to the undertaking maintainers in January 2023, described it as an improper authorization test that enables an attacker to execute malicious code on prone servers.
“An improper authorization test was recognized inside ProjectSend model r1605 that enables an attacker to carry out delicate actions equivalent to enabling consumer registration and auto validation, or including new entries within the whitelist of allowed extensions for uploaded information,” it stated in a report revealed in July 2024.
“Finally, this enables to execute arbitrary PHP code on the server internet hosting the appliance.”
VulnCheck stated it noticed unknown risk actors focusing on public-facing ProjectSend servers being focused by leveraging exploit code launched by Venture Discovery and Rapid7. The exploitation makes an attempt are believed to have commenced in September 2024.
The assaults have additionally been discovered to allow the consumer registration characteristic to achieve post-authentication privileges for follow-on exploitation, indicating that they don’t seem to be confined to scanning for susceptible situations.
“We’re seemingly within the ‘attackers putting in net shells’ territory (technically, the vulnerability additionally permits the attacker to embed malicious JavaScript, too, which may very well be an fascinating and totally different assault state of affairs),” VulnCheck’s Jacob Baines stated.
“If an attacker has uploaded an internet shell, it may be present in a predictable location in add/information/ off of the webroot.”
An evaluation of internet-exposed ProjectSend servers has revealed {that a} mere 1% of them are utilizing the patched model (r1750), with all of the remaining situations working both an unnamed launch or model r1605, which got here out in October 2022.
In gentle of what seems to be widespread exploitation, customers are really useful to use the most recent patches as quickly as attainable to mitigate the energetic risk.
