Date of Disclosure: November 26, 2024
Date Reported as Actively Exploited (source): November 26, 2024
CVE-2024-11680 is an improper authentication vulnerability allowing remote unauthenticated attackers to exploit ProjectSend (versions prior to r1720) instances by sending crafted HTTP requests to options.php, enabling unauthorized modification of the applications configuration. Successful exploitation allows attackers to create accounts, upload web shells, and embed malicious JavaScript.
Vulncheck shared a blog with several key takeaways – public-facing ProjectSend instances are being actively exploited, 99% of ProjectSend instances remain vulnerable, and public exploits have pre-dated CVE assignment by months. This emphasizes the importance of promptly upgrading the affected versions of ProjectSend.
Public exploits are available in the form of a Nuclei template and a MetaSploit module. Vulncheck shared that victim hosts may display html titles with random strings in line with how Nuclei and Metasploit implement their testing logic. According to Vulncheck, compromised hosts with these modified titles started appearing in September as these exploits were made public.
Vulncheck additionally noted that anomalous network requests to ProjectSend applications appear to be more than just “researchers intrusively checking for vulnerable versions”, and there’s been evidence of post-exploitation activity. Attackers uploading webshells to victim hosts can be found in upload/files/ off the web root and are assigned a predictable name following this pattern: {posix timestamp of upload}-{sha1 username}-{original file name}.{original extension}.
| Field |
Details |
| CVE-ID |
CVE-2024-11680 – CVSS 9.8 (critical) – assigned by NVD |
| Vulnerability Description |
ProjectSend versions prior to r1720 are affected by an improper authentication vulnerability. Remote, unauthenticated attackers can exploit this flaw by sending crafted HTTP requests to options.php, enabling unauthorized modification of the application’s configuration. Successful exploitation allows attackers to create accounts, upload webshells, and embed malicious JavaScript. |
| Date of Disclosure |
November 26, 2024 |
| Affected Assets |
Options.php in ProjectSend (before r1720) |
| Vulnerable Software Versions |
ProjectSend before r1720 release. |
| PoC Available? |
Yes, there’s multiple public exploits available to include (but not limited to): Project Discovery Nuclei template, Rapid7 Metasploit module, and this advisory from Synactiv provides detailed information about the exploit. |
| Exploitation Status |
Active exploitation was reported by Vulncheck and this CVE was added to CISA KEV on December 3, 2024. |
| Patch Status |
This vulnerability was patched via this commit in May 2023. |
Censys Perspective
At the time of writing, Censys observed 4,026 exposed ProjectSend instances online. A large proportion of these (40%) are geolocated in the United States. Censys observed about 9% of the exposed instances to be associated with CloudFlare (ASN 13335). Note that not all of these are necessarily vulnerable, as specific versions are not available.
On exposed ProjectSend instances, we observed a recurring pattern in the HTML that occasionally includes the release version:
Provided by <a href="https://www.projectsend.org/" target="_blank">ProjectSend</a> version r1420 - Free software
Of the exposed instances in our data, we able to identify the following exposed versions:
| Release Number |
Host Count |
| r1295 |
260 |
| r1335 |
117 |
| r1420 |
113 |
| r1330 |
7 |
| r1270 |
4 |
| r1415 |
3 |
From the exposed instances in our dataset, we identified several instances displaying specific release versions. While many instances did not present a visible version, this absence does not guarantee they are not vulnerable. All of the release versions identified in the chart above remain vulnerable to the exploit.
In addition to the identified versions, we observed a significant number of instances that appear to have already been compromised. The following represent the five most common patterns observed among these hosts by frequency, though additional compromised hosts were also identified:
| HTML Title |
Host Count |
| Log in » 2nVsqpahM2JlULBOKl4HZg2JMXb |
260 |
| Log in » 2pVU3Qznb2ce732PenWkYG6cT8A |
127 |
| Log in » 2pTBUSMbXEO0MlGMlZ4D5AydOUW |
63 |
| Log in » 2pQhx2E3Rw5BRWrDQUtcyw8Pdel |
23 |
| Log in » 2pTxgyFQ4XKnq8ZAfNsAZzQe6qp |
20 |
The obfuscation patterns observed in these compromised hosts align closely with those generated by the nuclei template. Each of these patterns is exactly 27 characters long. This behavior is consistent with the randstr variable used in the Nuclei template, which leverages the KSUID library to generate a random string, always 27 characters in length.
if strings.EqualFold(value, "randstr") || strings.HasPrefix(value, "randstr_") {
randStr := ksuid.New().String()
data = bytes.ReplaceAll(data, []byte(expression[0]), []byte(randStr))
dataMap[expression[0]] = randStr
}
Map of Exposed ProjectSend instances:
Censys Search Query:
services: (http.response.html_title: "Log In » " and banner: "Set-Cookie: PHPSESSID" and http.response.body: "ckeditor.js" and http.response.body: "jquery-migrate.min.js")
Censys ASM Query:
host.services.http.response.html_title: "Log In » " and host.services.banner: "Set-Cookie: PHPSESSID" and host.services.http.response.body: "ckeditor.js" and host.services.http.response.body: "jquery-migrate.min.js"
References
