Menace actors are utilizing public exploits for a essential authentication bypass flaw in ProjectSend to add webshells and acquire distant entry to servers.
The flaw, tracked as CVE-2024-11680, is a essential authentication bug impacting ProjectSend variations earlier than r1720, permitting attackers to ship specifically crafted HTTP requests to ‘choices.php’ to alter the appliance’s configuration.
Profitable exploitation permits the creation of rogue accounts, planting webshells, and embedding malicious JavaScript code.
Although the flaw was fastened on Could 16, 2023, it was not assigned a CVE till yesterday, leaving customers unaware of its severity and the urgency of making use of the safety replace.
In accordance with VulnCheck, which has detected energetic exploitation, the patching tempo has been abysmal thus far, with 99% of ProjectSend situations nonetheless operating a susceptible model.
Hundreds of situations uncovered
ProjectSend is an open-source file-sharing net utility designed to facilitate safe, personal file transfers between a server administrator and shoppers.
It’s a reasonably standard utility utilized by organizations that want self-hosted options over third-party providers like Google Drive and Dropbox.
Censys studies that there are roughly 4,000 public-facing ProjectSend situations on-line, most of that are susceptible, says VulnCheck.
Particularly, the researchers report that, based mostly on Shodan knowledge, 55% of the uncovered situations run r1605, launched in October 2022, 44% use an unnamed launch from April 2023, and just one% is on r1750, the patched model.
VulnCheck studies seeing energetic exploitation of CVE-2024-11680 that extends past simply testing, together with altering system settings to allow consumer registration, gaining unauthorized entry, and deploying webshells to take care of management over compromised servers.
Supply: VulnCheck
This exercise elevated since September 2024, when Metasploit and Nuclei launched public exploits for CVE-2024-11680.
“VulnCheck seen that public-facing ProjectSend servers had began to alter their touchdown web page titles to lengthy, random-ish strings,” reads the report.
“These lengthy and random-ish names are in keeping with how each Nuclei and Metasploit implement their vulnerability testing logic.”
“Each exploit instruments modify the sufferer’s configuration file to change the sitename (and subsequently HTTP title) with a random worth.”
GreyNoise lists 121 IPs linked to this exercise, suggesting widespread makes an attempt moderately than an remoted supply.
.jpg)
Supply: VulnCheck
VulnCheck warns that the webshells are saved within the ‘add/recordsdata’ listing, with names generated from a POSIX timestamp, the username’s SHA1 hash, and the unique file identify/extension.
Direct entry to those recordsdata via the net server signifies energetic exploitation.
The researchers warn that upgrading to ProjectSend model r1750 as quickly as doable is essential as assaults are doubtless already widespread.