Urgent: Hackers Actively Exploiting Severe ProjectSend Vulnerability on Unpatched Servers

Urgent: Hackers Actively Exploiting Severe ProjectSend Vulnerability on Unpatched Servers

Critical Security Alert: ProjectSend Vulnerability Threatens File-Sharing Security

A critical security flaw (CVE-2024-11680) has been identified in ProjectSend, the popular open-source file-sharing platform. With a severe CVSS score of 9.8, this vulnerability enables attackers to execute malicious code on affected servers due to insufficient authorization checks.

The security issue, initially addressed in May 2023 and officially patched in August 2024 with version r1720, is now being actively exploited. The vulnerability allows attackers to perform unauthorized actions, including:
– Enabling user registration without authorization
– Modifying file extension settings
– Executing arbitrary PHP code
– Installing web shells
– Injecting malicious JavaScript

Current analysis reveals that only 1% of exposed ProjectSend servers are running the secure, patched version (r1750). The majority continue to operate on vulnerable version r1605 or unspecified versions, leaving them at risk of exploitation.

VulnCheck researchers have confirmed active exploitation attempts in the wild. Organizations using ProjectSend are strongly advised to update to the latest version immediately to mitigate this significant security risk, which could lead to unauthorized access and system compromise.

Share This Article