Improper Authentication Vulnerability in ProjectSend Affects Multiple Versions
CVE-2024-11680

9.8CRITICAL

Key Information:

Vendor: Projectsend
Status: Projectsend
Vendor: CVE Published:; 26 November 2024

Badges

👾 Exploit Exists🟡 Public PoC🟣 EPSS 93%🦅 CISA Reported📰 News Worthy

Summary

Vulnerability: CVE-2024-11680 Software: ProjectSend Potential Impact: Remote, unauthenticated attackers can exploit this flaw by sending crafted HTTP requests to options.php, enabling unauthorized modification of the application's configuration. Successful exploitation allows attackers to create accounts, upload webshells, and embed malicious JavaScript. Exploitation in the Wild: Yes, threat actors are actively using public exploits for this critical authentication bypass flaw in ProjectSend to upload webshells and gain remote access to servers. The flaw has been actively exploited since September 2024, with evidence of public-facing ProjectSend servers being targeted and changes to landing page titles. Upgrading to ProjectSend version r1750 is critical to prevent attacks.

CISA Reported

CISA provides regional cyber and physical services to support security and resilience across the United States. CISA monitor the most dangerious vulnerabilities and have identifed as being exploited but is not known by the CISA to be used in ransomware campaigns. This is subject to change at pace

The CISA's recommendation is: Apply mitigations per vendor instructions or discontinue use of the product if mitigations are unavailable.

Affected Version(s)

ProjectSend 0

Exploit Proof of Concept (PoC)

PoC code is written by security researchers to demonstrate the vulnerability can be exploited. PoC code is also a key component for weaponization which could lead to ransomware.

CVE-2024-11680 - Proof of Concept