CVE-2024-11680
published 2024-11-26CVE-2024-11680: ProjectSend versions prior to r1720 are affected by an improper authentication vulnerability. Remote, unauthenticated attackers can exploit this flaw by…
PriorityP197critical9.8CVSS 3.1
AVNACLPRNUINSUCHIHAH
KEVITWEXPLOITInitial access
CISA Known Exploited Vulnerabilitydue 2024-12-24
Exploited in the wild
EPSS
91.56%
99.8th percentile
ProjectSend versions prior to r1720 are affected by an improper authentication vulnerability. Remote, unauthenticated attackers can exploit this flaw by sending crafted HTTP requests to options.php, enabling unauthorized modification of the application's configuration. Successful exploitation allows attackers to create accounts, upload webshells, and embed malicious JavaScript.
Affected
1 ranges
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| projectsend | projectsend | < r1720 | r1720 |
Detection & IOCsextracted from sources · hover to see the quote
- →Monitor for unauthenticated POST requests to /options.php; successful exploitation returns HTTP 500 with content-type text/html, followed by the modified site title appearing in the landing page body on subsequent GET /. ↗
- →Alert on direct HTTP GET access to files under the 'upload/files' directory on ProjectSend servers, especially files whose names match the pattern of a POSIX timestamp combined with a SHA1 hash — this is a strong indicator of webshell deployment. ↗
- →Detect exploitation activity by monitoring for configuration changes that enable user registration and disable the whitelist of allowed file extensions, followed by PHP file uploads. ↗
- →GreyNoise observed 121 distinct IPs actively exploiting CVE-2024-11680; cross-reference inbound traffic to ProjectSend instances against this cluster for triage. ↗
- →Exploitation activity notably increased from September 2024 onward, coinciding with public Metasploit and Nuclei exploit releases — use this timeline to scope forensic investigations. ↗
- ·Version distribution on exposed instances: 55% run r1605 (Oct 2022), 44% run an unnamed April 2023 release, and only 1% run r1750 (patched). Shodan/Censys enumeration can identify ~4,000 public-facing instances. ↗
- ·The Nuclei template uses a regex to extract a CSRF token from the login page before crafting the exploit POST to /options.php, meaning CSRF token presence alone does not prevent exploitation. ↗
CVSS provenance
nvdv3.19.8CRITICALCVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
vulncheck9.8CRITICAL
cisa9.8CRITICAL
CVEs like this are exactly what “Exploited This Week” covers.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
CISA
ProjectSend Improper Authentication Vulnerability
cisa·2024-12-03·CVSS 9.8
CVE-2024-11680 [CRITICAL] CWE-287 ProjectSend Improper Authentication Vulnerability
Vulnerability: ProjectSend Improper Authentication Vulnerability
Affected: ProjectSend ProjectSend
ProjectSend contains an improper authentication vulnerability that allows a remote, unauthenticated attacker to enable unauthorized modification of the application's configuration via crafted HTTP requests to options.php. Successful exploitation allows attackers to create accounts, upload webshells, and embed malicious JavaScript.
Required Action: Apply mitigations per vendor instructions or discontinue use of the product if mitigations are unavailable.
Notes: https://github.com/projectsend/projectsend/commit/193367d937b1a59ed5b68dd4e60bd53317473744 ; https://nvd.nist.gov/vuln/detail/CVE-2024-11680
Remediation Due Date: 2024-12-24
GHSA
GHSA-755x-386x-p26p: ProjectSend versions prior to r1720 are affected by an improper authentication vulnerability
ghsa_unreviewed·2024-11-26
CVE-2024-11680 [CRITICAL] CWE-287 GHSA-755x-386x-p26p: ProjectSend versions prior to r1720 are affected by an improper authentication vulnerability
ProjectSend versions prior to r1720 are affected by an improper authentication vulnerability. Remote, unauthenticated attackers can exploit this flaw by sending crafted HTTP requests to options.php, enabling unauthorized modification of the application's configuration. Successful exploitation allows attackers to create accounts, upload webshells, and embed malicious JavaScript.
VulnCheck
ProjectSend Improper Authentication Vulnerability
vulncheck·2024·CVSS 9.8
CVE-2024-11680 [CRITICAL] CWE-287 ProjectSend Improper Authentication Vulnerability
ProjectSend Improper Authentication Vulnerability
ProjectSend contains an improper authentication vulnerability that allows a remote, unauthenticated attacker to enable unauthorized modification of the application's configuration via crafted HTTP requests to options.php. Successful exploitation allows attackers to create accounts, upload webshells, and embed malicious JavaScript.
Affected: ProjectSend ProjectSend
Required Action: Apply mitigations per vendor instructions or discontinue use of the product if mitigations are unavailable.
Exploitation References: https://vulncheck.com/blog/projectsend-exploited-itw; https://www.cve.org/CVERecord?id=CVE-2024-11680; https://www.cisa.gov/sites/default/files/feeds/known_exploited_vulnerabilities.json; https://www.fortiguard.com/threat-signal-
Suricata
ET WEB_SPECIFIC_APPS ProjectSend Authentication Bypass Attempt M1 - Title Defacement Attempt (CVE-2024-11680)
suricata·2025-01-29·CVSS 9.8
CVE-2024-11680 [CRITICAL] ET WEB_SPECIFIC_APPS ProjectSend Authentication Bypass Attempt M1 - Title Defacement Attempt (CVE-2024-11680)
ET WEB_SPECIFIC_APPS ProjectSend Authentication Bypass Attempt M1 - Title Defacement Attempt (CVE-2024-11680)
Rule: alert http any any -> $HOME_NET any (msg:"ET WEB_SPECIFIC_APPS ProjectSend Authentication Bypass Attempt M1 - Title Defacement Attempt (CVE-2024-11680)"; flow:established,to_server; http.method; content:"POST"; http.uri; bsize:12; content:"/options.php"; http.request_body; content:"csrf_token|3d|"; content:"section|3d|general"; content:"this_install_title|3d|"; fast_pattern; reference:url,github.com/rapid7/metasploit-framework/pull/19531; reference:cve,2024-11680; classtype:attempted-admin; sid:2059741; rev:1; metadata:affected_product ProjectSend, attack_target Web_Server, tls_state TLSDecrypt, created_at 2025_01_29, cve CVE_2024_11680, deployment Perimeter, deployment Inte
Suricata
ET WEB_SPECIFIC_APPS ProjectSend Authentication Bypass Attempt M2 - Account Creation Attempt (CVE-2024-11680)
suricata·2025-01-29·CVSS 9.8
CVE-2024-11680 [CRITICAL] ET WEB_SPECIFIC_APPS ProjectSend Authentication Bypass Attempt M2 - Account Creation Attempt (CVE-2024-11680)
ET WEB_SPECIFIC_APPS ProjectSend Authentication Bypass Attempt M2 - Account Creation Attempt (CVE-2024-11680)
Rule: alert http any any -> $HOME_NET any (msg:"ET WEB_SPECIFIC_APPS ProjectSend Authentication Bypass Attempt M2 - Account Creation Attempt (CVE-2024-11680)"; flow:established,to_server; xbits:set,ET.ProjectSend.AccountCreation, track ip_dst,expire 60; http.method; content:"POST"; http.uri; bsize:12; content:"/options.php"; http.request_body; content:"csrf_token|3d|"; content:"clients_can_register|3d|1"; fast_pattern; content:"clients_can_upload|3d|1"; content:"clients_auto_approve|3d|1"; reference:url,github.com/rapid7/metasploit-framework/pull/19531; reference:cve,2024-11680; classtype:attempted-admin; sid:2059744; rev:1; metadata:affected_product ProjectSend, attack_target Web
Suricata
ET WEB_SPECIFIC_APPS ProjectSend Authentication Bypass Attempt M3 - PHP File Upload Attempt (CVE-2024-11680)
suricata·2025-01-29·CVSS 9.8
CVE-2024-11680 [CRITICAL] ET WEB_SPECIFIC_APPS ProjectSend Authentication Bypass Attempt M3 - PHP File Upload Attempt (CVE-2024-11680)
ET WEB_SPECIFIC_APPS ProjectSend Authentication Bypass Attempt M3 - PHP File Upload Attempt (CVE-2024-11680)
Rule: alert http any any -> $HOME_NET any (msg:"ET WEB_SPECIFIC_APPS ProjectSend Authentication Bypass Attempt M3 - PHP File Upload Attempt (CVE-2024-11680)"; flow:established,to_server; xbits:isset,ET.ProjectSend.AccountCreation,track ip_dst; http.method; content:"POST"; http.uri; bsize:28; content:"/includes/upload.process.php"; fast_pattern; http.request_body; content:"Content-Disposition|3a 20|form-data|3b 20|name|3d 22|name|22|"; content:"Content-Disposition|3a 20|form-data|3b 20|name|3d 22|file|22 3b 20|filename|3d 22|"; within:200; content:"|3c 3f|"; distance:0; pcre:"/^(?:php|.)/R"; reference:url,github.com/rapid7/metasploit-framework/pull/19531; reference:cve,2024-11680; c
Metasploit
ProjectSend r1295 - r1605 Unauthenticated Remote Code Execution
metasploit
ProjectSend r1295 - r1605 Unauthenticated Remote Code Execution
ProjectSend r1295 - r1605 Unauthenticated Remote Code Execution
This module exploits an improper authorization vulnerability in ProjectSend versions r1295 through r1605. The vulnerability allows an unauthenticated attacker to obtain remote code execution by enabling user registration, disabling the whitelist of allowed file extensions, and uploading a malicious PHP file to the server.
Nuclei
ProjectSend <= r1605 - Improper Authorization
nuclei·CVSS 9.8
CVE-2024-11680 [CRITICAL] ProjectSend <= r1605 - Improper Authorization
ProjectSend Log in » ([0-9a-zA-Z]+)'
internal: true
- raw:
- |
POST /options.php HTTP/1.1
Host: {{Hostname}}
Content-Type: application/x-www-form-urlencoded
csrf_token={{csrf}}§ion=general&this_install_title={{string}}
matchers:
- type: dsl
dsl:
- 'status_code == 500'
- 'contains(content_type, "text/html")'
condition: and
internal: true
- raw:
- |
GET / HTTP/1.1
Host: {{Hostname}}
matchers:
- type: dsl
dsl:
- 'status_code == 200'
- 'contains(body, "{{string}}")'
condition: and
internal: true
- raw:
- |
POST /options.php HTTP/1.1
Host: {{Hostname}}
Content-Type: application/x-www-form-urlencoded
csrf_token={{csrf}}§ion=general&this_install_title={{title}}
matchers:
- type: dsl
dsl:
- 'status_code == 500'
- 'contains(content_type, "text/html")'
condition: and
internal: true
- raw:
-
arXiv
From LLMs to Agents: A Comparative Evaluation of LLMs and LLM-based Agents in Security Patch Detection
arxiv_fulltext·2025-11-11
From LLMs to Agents: A Comparative Evaluation of LLMs and LLM-based Agents in Security Patch Detection
From LLMs to Agents: A Comparative Evaluation of LLMs and LLM-based Agents in Security Patch Detection
Junxiao Han, Zheng Yu, Lingfeng Bao, Jiakun Liu, Yao Wan, Jianwei Yin, Shuiguang Deng, and Song Han
Junxiao Han, Zheng Yu, and Song Han are with the School of Computer and Computing Science, Hangzhou City University, Hangzhou 310015, China. E-mail: [email protected], [email protected], and [email protected]
Lingfeng Bao is with the State Key Laboratory of Blockchain and Data Security, Zhejiang University, Hangzhou 310027, China. E-mail: [email protected]
Jiakun Liu is with the Faculty of Computing, Harbin Institute of Technology, Harbin 150001, China. E-mail: [email protected]
Yao Wan is with the College of Computer Science and Technology, Huazhong University of Science and T
Checkpoint
2nd December – Threat Intelligence Report
blogs_checkpoint·2024-12-02
CVE-2024-11680 2nd December – Threat Intelligence Report
Latest Publications
CPR Podcast Channel
AI Research
Web 3.0 Security
Intelligence Reports
ThreatCloud AI
Threat Intelligence & Research
Zero Day Protection
Sandblast File Analysis
About Us
SUBSCRIBE
2026
2025
2024
2023
2022
2021
2020
2019
2018
2017
2016
## 2nd December – Threat Intelligence Report
For the latest discoveries in cyber research for the week of 2nd December, please download our Threat Intelligence Bulletin .
TOP ATTACKS AND BREACHES
Supply chain software provider Blue Yonder was hit by a ransomware attack, disrupting services for clients like Starbucks and UK grocery chains Morrisons and Sainsbury’s. The incident affected operations such as employee scheduling and payroll processing. Blue Yonder is collaborating with cybersecurity firms to recover an
Bleepingcomputer
Hackers exploit ProjectSend flaw to backdoor exposed servers
blogs_bleepingcomputer·2024-11-27·CVSS 9.8
CVE-2024-11680 [CRITICAL] Hackers exploit ProjectSend flaw to backdoor exposed servers
## Hackers exploit ProjectSend flaw to backdoor exposed servers
## Bill Toulas
Threat actors are using public exploits for a critical authentication bypass flaw in ProjectSend to upload webshells and gain remote access to servers.
The flaw, tracked as CVE-2024-11680, is a critical authentication bug impacting ProjectSend versions before r1720, allowing attackers to send specially crafted HTTP requests to 'options.php' to change the application's configuration.
Successful exploitation allows the creation of rogue accounts, planting webshells, and embedding malicious JavaScript code.
Though the flaw was fixed on May 16, 2023, it was not assigned a CVE until yesterday , leaving users unaware of its severity and the urgency of applying the security update.
According to VulnCheck, which h
Greynoiseio
Storm⚡️Watch
blogs_greynoiseio
Storm⚡️Watch
CVE Disclosure Early Warning Get an early warning when traffic spikes indicate a high likelihood of new disclosures
Compromised Asset Detection Find out immediately if an asset communicates with a malicious IP address
Vulnerability Prioritization Get real-time insight into active exploitation trends to better understand risk and severity
SOC Efficiency Filter out noisy, low priority and false-positive alerts from mass internet scanners
Incident Investigation Add context to incidents to speed the determinations of scope and timelines
Threat Hunting Quickly identify anomalous behavior and enrich your threat hunting campaigns
Why GreyNoise
CVE Disclosure Early Warning Get an early warning when traffic spikes indicate a high likelihood of new disclosures
Compromised Asset Detection Fin
CWE
Missing Authentication for Critical Function
mitre_cwe
CWE-306 Missing Authentication for Critical Function
CWE-306: Missing Authentication for Critical Function
The product does not perform any authentication for functionality that requires a provable user identity or consumes a significant amount of resources.
Modes of Introduction:
Phase: Architecture and Design
Note: OMISSION: This weakness is caused by missing a security tactic during the architecture and design phase.
Phase: Architecture and Design
Note: Developers sometimes perform authentication at the primary channel, but open up a secondary channel that is assumed to be private. For example, a login mechanism may be listening on one network port, but after successful authentication, it may open up a second port where it waits for the connection, but avoids authentication because it assumes that only the authenticated party will conne
CWE
Improper Authentication
mitre_cwe
CWE-287 Improper Authentication
CWE-287: Improper Authentication
When an actor claims to have a given identity, the product does not prove or insufficiently proves that the claim is correct.
Modes of Introduction:
Phase: Architecture and Design
Phase: Implementation
Note: REALIZATION: This weakness is caused during implementation of an architectural security tactic.
Common Consequences:
Scope: Integrity, Confidentiality, Availability, Access Control. Impact: Read Application Data, Gain Privileges or Assume Identity, Execute Unauthorized Code or Commands. This weakness can lead to the exposure of resources or functionality to unintended actors, possibly providing attackers with sensitive information or even execute arbitrary code.
Detection Methods:
Automated Static Analysis: Automated static analysis is useful for de
https://github.com/projectdiscovery/nuclei-templates/blob/main/http/vulnerabilities/projectsend-auth-bypass.yamlhttps://github.com/projectsend/projectsend/commit/193367d937b1a59ed5b68dd4e60bd53317473744https://github.com/rapid7/metasploit-framework/blob/master/modules/exploits/linux/http/projectsend_unauth_rce.rbhttps://vulncheck.com/advisories/projectsend-bypasshttps://www.synacktiv.com/sites/default/files/2024-07/synacktiv-projectsend-multiple-vulnerabilities.pdfhttps://www.cisa.gov/known-exploited-vulnerabilities-catalog?field_cve=CVE-2024-11680
2024-11-26
Published
2024-12-03
Added to CISA KEV
Exploited in the wild