ProjectSend security flaws impacted access to background servers

VulnCheck found an actively exploited bug in ProjectSend
Scammers use it to create fraudulent accounts and distribute malware
Experts warn thousands of cases are at risk

Researchers have warned that hackers have exploited a critical vulnerability in ProjectSend, allowing them to access servers and run arbitrary commands remotely.

ProjectSend is free, open source file sharing software businesses can use it to securely upload, manage and share files with customers, team members or other designated users. It’s widely used by businesses, freelancers, and non-profit organizations that don’t want to rely on third-party services like Dropbox.

Apparently, an older version before May 16, 2023 carried a critical authentication bypass vulnerability, and most users were unaware of its existence because the bug was never assigned a CVE and thus was never publicly disclosed.

Multiple attackers

As a result, the vast majority of ProjectSend users (99% of them) were running an older, unpatched and vulnerable version. In total, there are apparently 4,000 public examples and only 1% are using the patched version.

VulnCheck, a cybersecurity platform focused on identifying and analyzing vulnerabilities, assigned the bug the designation CVE-2024-11680 after observing it being actively exploited. Scammers were using this to create new accounts under their control, create web shells, and embed JavaScript code.

VulnCheck added that the exploit gained momentum in September 2024, when Metasploit and Nuclei released public exploits for the flaw.

“VulnCheck has noticed that public ProjectSend servers have begun replacing landing page titles with long, random strings,” the platform said. “These long and random names are consistent with how both Nuclei and Metasploit implement vulnerability testing logic.”

“Both exploit tools modify the victim’s configuration file, replacing the site name (and therefore the HTTP header) with a random value.”

There is currently no information on the identity or motives of the attackers, but the attempts are said to come from at least 100 different IP addresses, meaning that multiple groups and individual hackers are taking advantage of this bug.

through BleepingComputer

Related Posts