cbcvebase.
CVE-2024-11680
published 2024-11-26

CVE-2024-11680: ProjectSend versions prior to r1720 are affected by an improper authentication vulnerability. Remote, unauthenticated attackers can exploit this flaw by…

PriorityP197critical9.8CVSS 3.1
AVNACLPRNUINSUCHIHAH
KEVITWEXPLOITInitial access
CISA Known Exploited Vulnerabilitydue 2024-12-24
Exploited in the wild
EPSS
91.56%
99.8th percentile
ProjectSend versions prior to r1720 are affected by an improper authentication vulnerability. Remote, unauthenticated attackers can exploit this flaw by sending crafted HTTP requests to options.php, enabling unauthorized modification of the application's configuration. Successful exploitation allows attackers to create accounts, upload webshells, and embed malicious JavaScript.

Affected

1 ranges
VendorProductVersion rangeFixed in
projectsendprojectsend< r1720r1720

Detection & IOCsextracted from sources · hover to see the quote

path/options.php
pathupload/files
commandPOST /options.php HTTP/1.1
filename<POSIX_timestamp>_<SHA1_of_username>_<original_filename>.<ext>
  • Monitor for unauthenticated POST requests to /options.php; successful exploitation returns HTTP 500 with content-type text/html, followed by the modified site title appearing in the landing page body on subsequent GET /.
  • Alert on direct HTTP GET access to files under the 'upload/files' directory on ProjectSend servers, especially files whose names match the pattern of a POSIX timestamp combined with a SHA1 hash — this is a strong indicator of webshell deployment.
  • Detect exploitation activity by monitoring for configuration changes that enable user registration and disable the whitelist of allowed file extensions, followed by PHP file uploads.
  • GreyNoise observed 121 distinct IPs actively exploiting CVE-2024-11680; cross-reference inbound traffic to ProjectSend instances against this cluster for triage.
  • Exploitation activity notably increased from September 2024 onward, coinciding with public Metasploit and Nuclei exploit releases — use this timeline to scope forensic investigations.
  • ·Version distribution on exposed instances: 55% run r1605 (Oct 2022), 44% run an unnamed April 2023 release, and only 1% run r1750 (patched). Shodan/Censys enumeration can identify ~4,000 public-facing instances.
  • ·The Nuclei template uses a regex to extract a CSRF token from the login page before crafting the exploit POST to /options.php, meaning CSRF token presence alone does not prevent exploitation.

CVSS provenance

nvdv3.19.8CRITICALCVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
vulncheck9.8CRITICAL
cisa9.8CRITICAL
CVEs like this are exactly what “Exploited This Week” covers.

Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.