November 27, 2024 at 04:04PM
A critical authentication bypass flaw (CVE-2024-11680) in ProjectSend allows attackers to exploit vulnerable versions to upload webshells and gain remote access. Despite a fix released on May 16, 2023, 99% of users remain vulnerable. Active exploitation has surged since September 2024, necessitating urgent updates to version r1750.
### Meeting Takeaways
**Overview of Vulnerability:**
– A critical authentication bypass flaw (CVE-2024-11680) has been identified in ProjectSend, affecting all versions prior to r1720.
– The flaw allows attackers to send specially crafted HTTP requests to ‘options.php’, enabling configuration changes.
**Key Facts:**
– Exploitation can lead to:
– Creation of rogue accounts.
– Uploading of webshells.
– Embedding of malicious JavaScript code.
– The vulnerability was fixed on May 16, 2023, but a CVE was only assigned recently, resulting in a lack of awareness among users regarding the urgency of patching.
**Current Exploitation Status:**
– VulnCheck reports active exploitation of this vulnerability, with a significant number of instances remaining unpatched:
– **99%** of ProjectSend instances are still vulnerable.
– Approx. **4,000** public-facing ProjectSend instances are currently online, with 55% using version r1605 and 44% running an unnamed version from April 2023.
**Indicators of Compromise:**
– Signs of exploitation include changes to landing page titles of servers, consistent with modifications made by vulnerability testing tools like Metasploit and Nuclei.
– GreyNoise has identified **121** IP addresses associated with these attacks, indicating a broad set of attackers rather than isolated incidents.
– Webshells can be found in the ‘upload/files’ directory, highlighting critical access points.
**Next Steps:**
– Immediate action is required to upgrade to ProjectSend version r1750 to mitigate risk.
– Organizations using ProjectSend should prioritize patching to prevent unauthorized access and potential server compromise.
**Recommendation:**
– Conduct a thorough assessment of current ProjectSend instances in use and initiate the upgrading process without delay to safeguard against ongoing attacks.