A critical security vulnerability affecting ProjectSend, an open-source file-sharing platform, is reportedly being actively exploited, according to cybersecurity firm VulnCheck.
The flaw, tracked as CVE-2024-11680, allows attackers to execute arbitrary PHP code on unpatched servers. The vulnerability was initially discovered by Synacktiv in January 2023 and described as an improper authorization check in ProjectSend version r1605, released in October 2022.
Although the issue was addressed in a commit in May 2023, an official patch wasn't made available until August 2024 with the release of version r1720. By November 26, 2024, the flaw was officially assigned identifier CVE-2024-11680.
VulnCheck has observed exploitation attempts by unknown threat actors targeting public-facing ProjectSend servers since September 2024. The attackers have leveraged exploit code released by Project Discovery and Rapid7 to compromise vulnerable systems. As part of the exploitation, the attackers enable the user registration feature to gain elevated privileges for further malicious activity.
An analysis of approximately 4,000 internet-exposed ProjectSend servers revealed that only 1% are running the patched version (r1750), leaving the vast majority vulnerable.
That being said, users are strongly advised to update their systems as soon as possible to prevent the exploitation of the flaw.