Critical Vulnerability Discovered in ProjectSend Application
/ 3 min read
Quick take - A critical security vulnerability in ProjectSend, identified as CVE-2024-11680, poses a significant risk due to low adoption of available patches, with nearly 99% of public-facing instances remaining unupdated despite multiple advisories and evidence of ongoing exploitation attempts.
Fast Facts
- A critical vulnerability (CVE-2024-11680) in ProjectSend was disclosed on November 26, 2024, with a patch available since May 16, 2023.
- Nearly 99% of public-facing ProjectSend instances remain unpatched, posing a severe risk of exploitation.
- Multiple security firms have exploited the vulnerability, with public exploits available months before the CVE assignment.
- Evidence of exploitation attempts includes over 100 IP addresses targeting the application and unusual modifications to vulnerable servers.
- Security professionals are urged to assess exposure, implement remediations, and monitor for ongoing exploitation activities.
Critical Security Vulnerability in ProjectSend
A critical security vulnerability in ProjectSend, an open-source file-sharing web application, has been identified, leading to urgent advisories from security experts. The vulnerability, designated as CVE-2024-11680, was publicly disclosed on November 26, 2024. A patch to address this vulnerability has been available since May 16, 2023. Despite the availability of the patch, nearly 99% of public-facing ProjectSend instances have not been upgraded to the patched version released in August 2024. This situation indicates a severe risk of exploitation.
ProjectSend Overview
ProjectSend has nearly 1,500 stars on GitHub and over 4,000 instances indexed by Censys. Since the patch’s release, multiple security firms, including Synactiv, Project Discovery (Nuclei), and Rapid7 (Metasploit), have exploited the vulnerability. Public exploits for the vulnerability were accessible months before the official CVE assignment, raising concerns about oversight in documentation and vulnerability management.
Timeline of Key Events
- January 19, 2023: Synactiv disclosed the vulnerability to ProjectSend.
- May 16, 2023: The initial patch for the vulnerability was released.
- July 19, 2024: Synactiv published an advisory regarding the vulnerability.
- August 3, 2024: The official patch was included in ProjectSend version r1720.
- August 30, 2024: A pull request for Metasploit was initiated.
- September 3, 2024: A pull request for Nuclei was opened.
- November 25, 2024: The CVE-2024-11680 was assigned by VulnCheck.
Since the patch’s release, attackers have attempted to exploit the vulnerability, with evidence suggesting that exploitation may involve the installation of webshells. The VulnCheck Initial Access team has identified over one hundred IP addresses targeting the vulnerable application interface. Modifications to public-facing ProjectSend servers have been observed, including unusual changes in landing page titles appearing as long, random strings.
Current Status and Recommendations
Approximately 1% of internet-facing systems are using the latest patched version, r1750. The majority of systems are running older versions: 55% are on version r1605, released in October 2022, and 44% are on an unnamed release from April 2023. Given the low patch adoption rate, widespread exploitation is considered likely.
Security professionals are urged to evaluate their customers’ exposure to this vulnerability. They are advised to implement necessary remediations and engage in incident response activities. The VulnCheck Initial Access team remains vigilant in monitoring for new exploitation activities related to this significant security concern.
Original Source: Read the Full Article Here
