- VulnCheck has found a bug that is being actively exploited in ProjectSend
- Scammers use it to create fraudulent accounts and deploy malware
- Thousands of cases are at risk, experts warn
Researchers have warned that hackers are exploiting a critical vulnerability in ProjectSend, giving them access to servers and the ability to execute arbitrary commands remotely.
ProjectSend is a free, open source file sharing software that companies can use to securely upload, manage, and share files with customers, team members, or other designated users. It is often used by businesses, freelancers, and nonprofits who don’t want to rely on third-party services like Dropbox.
Apparently an older version, dating before May 16, 2023, contained a critical authentication bypass vulnerability – and since the bug was never assigned a CVE and thus never publicly disclosed, most users were unaware of its existence of it.
Multiple attackers
As a result, the vast majority of ProjectSend users (99% of them) were using an older, unpatched and vulnerable version. There are apparently 4,000 public agencies in total, and only 1% are running a patched version.
When VulnCheck, a cybersecurity platform focused on identifying and analyzing vulnerabilities, found the bug being actively exploited in the wild, it was designated CVE-2024-11680. Scammers used it to create new accounts under their control, install web shells, and embed JavaScript code.
VulnCheck added that the exploitation gained momentum in September 2024, when Metasploit and Nuclei both released public exploits for the flaw.
“VulnCheck noticed that public ProjectSend servers started changing their landing page titles to long, random strings,” the platform said. “These long and random names are consistent with how both Nuclei and Metasploit implement their vulnerability testing logic.”
“Both exploit tools modify the victim’s configuration file to change the site name (and therefore the HTTP title) with a random value.”
At this time there is no information about the identity of the attackers or their motives. However, the attempts were said to have come from at least 100 different IP addresses, meaning numerous groups and individual hackers were exploiting the bug.
Via BleepingComputer