Security researchers at VulnCheck have uncovered a large-scale cyber attack campaign targeting ProjectSend servers worldwide. The attacks exploit a critical authentication bypass vulnerability (CVE-2024-11680) rated 9.8 on the CVSS scale, highlighting an urgent security concern for organizations using this popular file-sharing solution. Despite a patch being available for over 18 months, an alarming 99% of servers remain vulnerable to this critical security flaw.
Understanding the Technical Impact
The vulnerability affects ProjectSend, an open-source PHP-based file sharing application widely used in corporate environments. The security flaw enables unauthorized attackers to gain complete control over server configurations through the options.php endpoint. This critical weakness allows malicious actors to create unauthorized administrative accounts, upload web shells, and inject harmful JavaScript code, potentially leading to complete system compromise.
Vulnerability Timeline and Exploitation Status
Initially discovered by Synacktiv researchers in January 2023, the vulnerability received an official patch in May 2023. However, the CVE identifier was only recently assigned after confirmation of active exploitation in the wild. Security firms including Project Discovery and Rapid7 have developed proof-of-concept exploits, which have subsequently been weaponized by threat actors for malicious purposes.
Current Exposure Analysis
VulnCheck’s research reveals a critical security landscape where 55% of active ProjectSend installations are running the vulnerable version r1605, and 44% operate on an outdated April 2023 release. Only 1% of servers have been updated to the secure version r1750, leaving the vast majority of installations exposed to potential attacks.
Detection and Mitigation Strategies
Security teams should watch for telltale signs of compromise, including modified landing page headers containing long pseudo-random strings and unexpected user registration functionality. Organizations running ProjectSend installations must immediately upgrade to version r1720 or later to protect against this vulnerability.
Given the severity of the vulnerability and its widespread exploitation, immediate action is crucial. System administrators should prioritize updating their ProjectSend installations to the latest secure version. If immediate updates aren’t feasible, organizations should consider temporarily restricting public access to their ProjectSend servers and implementing additional security controls such as VPNs or IP-based access restrictions until the vulnerability can be patched. Regular security assessments and prompt patch management remain critical components of maintaining a robust security posture against such threats.
