A vital safety flaw impacting the ProjectSend open-source file-sharing utility has seemingly come underneath lively exploitation within the wild, based on findings from VulnCheck.
The vulnerability, initially patched over a year-and-a-half in the past as a part of a commit pushed in Might 2023 , was not formally made accessible till August 2024 with the launch of model r1720. As of November 26, 2024, it has been assigned the CVE identifier CVE-2024-11680 (CVSS rating: 9.8).
Synacktiv, which reported the flaw to the mission maintainers in January 2023, described it as an improper authorization examine that permits an attacker to execute malicious code on vulnerable servers.
“An improper authorization check was identified within ProjectSend version r1605 that allows an attacker to perform sensitive actions such as enabling user registration and auto validation, or adding new entries in the whitelist of allowed extensions for uploaded files,” it mentioned in a report printed in July 2024.
“Ultimately, this allows to execute arbitrary PHP code on the server hosting the application.”
VulnCheck mentioned it noticed unknown risk actors concentrating on public-facing ProjectSend servers being focused by leveraging exploit code launched by Challenge Discovery and Rapid7. The exploitation makes an attempt are believed to have commenced in September 2024.
The assaults have additionally been discovered to allow the person registration function to achieve post-authentication privileges for follow-on exploitation, indicating that they don’t seem to be confined to scanning for weak cases.
“We are likely in the ‘attackers installing web shells’ territory (technically, the vulnerability also allows the attacker to embed malicious JavaScript, too, which could be an interesting and different attack scenario),” VulnCheck’s Jacob Baines mentioned.
“If an attacker has uploaded a web shell, it can be found in a predictable location in upload/files/ off of the webroot.”
An evaluation of internet-exposed ProjectSend servers has revealed {that a} mere 1% of them are utilizing the patched model (r1750), with all of the remaining cases working both an unnamed launch or model r1605, which got here out in October 2022.
In gentle of what seems to be widespread exploitation, customers are beneficial to use the newest patches as quickly as potential to mitigate the lively risk.
