Technology

ProjectSend security flaws hit to access background servers

November 28, 2024

VulnCheck found a bug being actively exploited in ProjectSend
Crooks are using it to create rogue accounts and deploy malware
Thousands of instances are at risk, experts warn

Researchers have warned hackers are taking advantage of a critical vulnerability in ProjectSend giving them access to servers and the ability to run arbitrary commands remotely.

ProjectSend is a free, open source file-sharing software businesses can use to securely upload, manage, and share files with clients, team members, or other designated users. It’s commonly used by businesses, freelancers, and nonprofits that don’t want to rely on third-party services such as Dropbox.

Apparently, an older version, that predates May 16, 2023, carried a critical authentication bypass vulnerability – and since the bug was never assigned a CVE, and thus was never publicly disclosed, most users were unaware of its existence.

Multiple attackers

As a result, the vast majority of ProjectSend users – 99% of them – were operating an older, unpatched and vulnerable version. In total, there are apparently 4,000 public-facing instances, and just 1% are using a patched version.

Once VulnCheck, a cybersecurity platform that focuses on identifying and analyzing vulnerabilities, observed the bug being actively exploited in the wild, it was given a designation CVE-2024-11680. Crooks were using it to create new accounts under their control, plant webshells, and embed JavaScript code.

VulnCheck added the exploitation picked up pace in September 2024, when Metasploit and Nuclei both released public exploits for the flaw.

“VulnCheck noticed that public-facing ProjectSend servers had started to change their landing page titles to long, random-ish strings,” the platform said. “These long and random-ish names are in line with how both Nuclei and Metasploit implement their vulnerability testing logic.”

“Both exploit tools modify the victim’s configuration file to alter the sitename (and therefore HTTP title) with a random value.”

At this time, there is no information about the identity of the attackers, or their motives, however it was said that the attempts came from at least 100 different IP addresses, meaning that numerous groups and individual hackers were taking advantage of the bug.

Via BleepingComputer

Cookie	Duration	Description
cookielawinfo-checkbox-analytics	11 months	This cookie is set by GDPR Cookie Consent plugin. The cookie is used to store the user consent for the cookies in the category "Analytics".
cookielawinfo-checkbox-functional	11 months	The cookie is set by GDPR cookie consent to record the user consent for the cookies in the category "Functional".
cookielawinfo-checkbox-necessary	11 months	This cookie is set by GDPR Cookie Consent plugin. The cookies is used to store the user consent for the cookies in the category "Necessary".
cookielawinfo-checkbox-others	11 months	This cookie is set by GDPR Cookie Consent plugin. The cookie is used to store the user consent for the cookies in the category "Other.
cookielawinfo-checkbox-performance	11 months	This cookie is set by GDPR Cookie Consent plugin. The cookie is used to store the user consent for the cookies in the category "Performance".
viewed_cookie_policy	11 months	The cookie is set by the GDPR Cookie Consent plugin and is used to store whether or not user has consented to the use of cookies. It does not store any personal data.

LEAVE A REPLY Cancel reply

EDITOR PICKS

POPULAR POSTS

QUICK LINKS

ABOUT US

FOLLOW US

Cookie bar