November 27, 2024 at 11:30AM
A critical security flaw (CVE-2024-11680) in the ProjectSend application, linked to improper authorization, has been actively exploited since September 2024. Despite a patch released in August 2024, only 1% of servers are updated. Users are urged to apply the latest patches to mitigate risks. CVSS score: 9.8.
### Meeting Takeaways – Nov 27, 2024
**Subject**: Vulnerability in ProjectSend Open-Source File-Sharing Application
1. **Critical Vulnerability Overview**:
– A significant security flaw has been identified in the ProjectSend application, now actively exploited in the wild.
– The vulnerability has been designated CVE-2024-11680, with a CVSS score of 9.8.
2. **Vulnerability Details**:
– The issue stems from an improper authorization check that allows for malicious code execution on affected servers.
– The flaw was originally patched in May 2023, but details were only publicly released in August 2024 with version r1720.
3. **Exploitation Timeline**:
– Reports indicate that exploitation began in September 2024, using exploit code released by Project Discovery and Rapid7.
– Known threat actors are targeting public-facing ProjectSend servers.
4. **Potential Impact**:
– Attackers can perform sensitive actions, such as enabling user registration and modifying allowed file extensions, leading to arbitrary PHP code execution.
– Vulnerable instances may allow attackers to install web shells, posing an increased risk for further exploitation.
5. **Current Usage Statistics**:
– An analysis shows only 1% of internet-exposed ProjectSend servers are operating on the patched version (r1750). The majority are still on version r1605 (October 2022) or earlier.
6. **Action Recommendations**:
– Immediate application of the latest patches is strongly advised for all users to mitigate risks associated with the active exploitation of this vulnerability.
7. **Further Reading**:
– Follow VulnCheck and explore discussions on Twitter and LinkedIn for ongoing updates and insights into security vulnerabilities.
### Conclusion:
Urgent action is required to address the critical vulnerability in ProjectSend to prevent potential exploitation and ensure the security of user data.