Risk actors are utilizing public exploits for a crucial authentication bypass flaw in ProjectSend to add webshells and acquire distant entry to servers.
The flaw, tracked as CVE-2024-11680, is a crucial authentication bug impacting ProjectSend variations earlier than r1720, permitting attackers to ship specifically crafted HTTP requests to ‘choices.php’ to alter the applying’s configuration.
Profitable exploitation permits the creation of rogue accounts, planting webshells, and embedding malicious JavaScript code.
Although the flaw was mounted on Could 16, 2023, it was not assigned a CVE till yesterday, leaving customers unaware of its severity and the urgency of making use of the safety replace.
In line with VulnCheck, which has detected lively exploitation, the patching tempo has been abysmal to this point, with 99% of ProjectSend situations nonetheless working a susceptible model.
Hundreds of situations uncovered
ProjectSend is an open-source file-sharing net utility designed to facilitate safe, personal file transfers between a server administrator and shoppers.
It’s a reasonably standard utility utilized by organizations that want self-hosted options over third-party companies like Google Drive and Dropbox.
Censys stories that there are roughly 4,000 public-facing ProjectSend situations on-line, most of that are susceptible, says VulnCheck.
Particularly, the researchers report that, primarily based on Shodan knowledge, 55% of the uncovered situations run r1605, launched in October 2022, 44% use an unnamed launch from April 2023, and only one% is on r1750, the patched model.
VulnCheck stories seeing lively exploitation of CVE-2024-11680 that extends past simply testing, together with altering system settings to allow consumer registration, gaining unauthorized entry, and deploying webshells to take care of management over compromised servers.
Supply: VulnCheck
This exercise elevated since September 2024, when Metasploit and Nuclei launched public exploits for CVE-2024-11680.
“VulnCheck noticed that public-facing ProjectSend servers had started to change their landing page titles to long, random-ish strings,” reads the report.
“These long and random-ish names are in line with how both Nuclei and Metasploit implement their vulnerability testing logic.”
“Both exploit tools modify the victim’s configuration file to alter the sitename (and therefore HTTP title) with a random value.”
GreyNoise lists 121 IPs linked to this exercise, suggesting widespread makes an attempt fairly than an remoted supply.
.jpg "Hackers exploit ProjectSend flaw to backdoor uncovered servers 2")
Supply: VulnCheck
VulnCheck warns that the webshells are saved within the ‘add/information’ listing, with names generated from a POSIX timestamp, the username’s SHA1 hash, and the unique file identify/extension.
Direct entry to those information by way of the online server signifies lively exploitation.
The researchers warn that upgrading to ProjectSend model r1750 as quickly as attainable is crucial as assaults are possible already widespread.
