Threat actors are likely exploiting ProjectSend servers unpatched against a vulnerability that was publicly disclosed roughly a year and a half ago, VulnCheck warns.
An open source application written in PHP, ProjectSend is designed for file sharing, enabling users to create client groups, assign user roles, and access statistics, detailed logs, notifications, and more.
The exploited issue, tracked as CVE-2024-11680 (CVSS score of 9.8), is described as an improper authentication vulnerability that could allow remote, unauthenticated attackers to modify the application’s configuration.
Attackers could send crafted HTTP requests to the options.php endpoint to create rogue accounts, upload webshells, and potentially embed malicious JavaScript code, a NIST advisory reads.
The vulnerability was discovered and reported by Synacktiv in January 2023 and a patch commit was pushed to ProjectSend’s GitHub repository in May 2023.
According to Synacktiv, the flaw, identified in ProjectSend version r1605, but likely affecting all iterations down to r1270, exists because some of the application’s PHP pages would perform authorization checks only after executing the rest of the code, essentially allowing unauthenticated users to perform privileged operations.
“An improper authorization check was identified within ProjectSend version r1605 that allows an attacker to perform sensitive actions such as enabling user registration and auto validation, or adding new entries in the whitelist of allowed extensions for uploaded files. Ultimately, this allows [attackers] to execute arbitrary PHP code on the server hosting the application,” Synacktiv noted in a July 2024 advisory (PDF).
Shortly after Synacktiv published its advisory, ProjectSend released version r1720 of the software, which officially patched the vulnerability. A CVE identifier, however, was issued only this week, after VulnCheck noticed that the bug has been exploited in the wild.
Advertisement. Scroll to continue reading.
Despite the lack of a CVE identifier, Synacktiv, Project Discovery (Nuclei), and Rapid7 (Metasploit) released public exploits targeting CVE-2024-11680, and attackers appear to have adopted them in attacks starting September.
“VulnCheck noticed that public-facing ProjectSend servers had started to change their landing page titles to long, random-ish strings. Some of the ‘random’ names have larger groupings. […] These long and random-ish names are in line with how both Nuclei and Metasploit implement their vulnerability testing logic,” the vulnerability intelligence firm notes.
According to VulnCheck, the observed attacks go beyond just testing whether the discoverable ProjectSend instances are vulnerable to CVE-2024-11680, and involve enabling user registration to obtain post-authentication privileges, resulting in the landing page prompting visitors to register an account.
“Given how widespread we are seeing this setting enabled, we think this is likely a bigger problem than ‘researchers intrusively checking for vulnerable versions’. We are likely in the ‘attackers installing webshells’ territory,” VulnCheck notes.
There are roughly 4,000 ProjectSend instances indexed by Censys, and VulnCheck says its own scanner has revealed that most of the internet-facing instances have not been updated to r1720, which contains the official patch.
Approximately 55% of the instances were found running version r1605, which was confirmed to be vulnerable, 44% were using an unnamed release from April 2023, and only 1% were running the patched version.
“Given the timeline, evidence of exploitation, and lack of patch adoption, we assume that exploitation is likely widespread. And if not now, then in the near future, considering the abysmal patching rates,” VulnCheck notes.
Related: Threat Actor Turns Thousands of IoT Devices Into Residential Proxies
Related: Palo Alto Networks Releases IoCs for New Firewall Zero-Day
Related: The Cybersecurity Resilience Quotient: Measuring Security Effectiveness
Related: Flaws in ABB Network Interface Modules Expose Industrial Systems to DoS Attacks