CVE-2024-11680

What is ProjectSend?

ProjectSend is a free, open-source file sharing and client management web application written in PHP, used by businesses and organizations to share files securely with clients and partners. Organizations use ProjectSend as a self-hosted alternative to services like Dropbox Business or WeTransfer for sharing documents, contracts, and deliverables with external parties. ProjectSend instances are typically internet-facing by design — they exist specifically to allow external clients to upload and download files. This internet exposure, combined with the vulnerability's severity, enabled rapid mass exploitation.

Overview

CVE-2024-11680 is an improper authentication vulnerability (CWE-306) in ProjectSend. The application's options.php configuration endpoint lacks authentication — it can be accessed and used to modify application settings by any unauthenticated attacker. This configuration endpoint controls core application settings including enabling user registration, modifying upload directories, and embedding custom JavaScript. An attacker can exploit this to: enable user self-registration (creating accounts), upload web shells (via the file upload functionality now accessible with a new account), and inject malicious JavaScript into all ProjectSend pages (stealing credentials or cookies from legitimate users). The fix was committed to the ProjectSend repository in May 2024 but was not CVE-assigned until November 2024 — upon publication, mass exploitation began within 24 hours.

Affected Versions

Technical Details

The missing authentication (CWE-306) on options.php is a classic PHP access control failure: the file handles application configuration changes but does not verify that the requester is an authenticated administrator before processing the request.

Exploitation steps:

1. Enable user registration: Attacker sends a POST request to options.php with parameters enabling the user self-registration feature (allow_registration=1 or equivalent)
2. Register attacker account: Attacker creates a new user account via the registration form (now enabled)
3. Upload web shell: Using the new account, attacker uploads a PHP web shell disguised as a file (e.g., shell.php) to the ProjectSend upload directory
4. Execute web shell: Attacker accesses the uploaded PHP file directly via the web server, achieving remote code execution

JavaScript injection path: An attacker can also use options.php to inject malicious JavaScript into the custom_js setting that is included in all ProjectSend pages — enabling credential harvesting or session token theft from legitimate users.

No prerequisites: The entire attack chain from network access to RCE requires no prior credentials and no existing account.

Discovery

VulnCheck documented the mass exploitation campaign shortly after CVE publication in November 2024, providing detailed analysis of the exploitation techniques observed in the wild.

Exploitation Context

VulnCheck reported that mass exploitation of internet-facing ProjectSend instances began within approximately 24 hours of CVE-2024-11680's publication on November 26, 2024. Multiple threat actor groups conducted automated scanning and exploitation. CISA added it to the KEV catalog just 7 days after CVE publication, confirming the rapid exploitation. Observed exploitation payloads included:

• PHP web shells for persistent server access
• Cryptominer deployment
• Remote access tool installation

The vulnerability had been silently fixed in the ProjectSend codebase 6 months before CVE assignment (May 2024) — meaning instances that pulled the latest code were protected, while those that hadn't updated since before May 2024 remained vulnerable for the 6-month gap.

Remediation

1. Upgrade ProjectSend to r1720 or later (the commit containing the authentication fix). The CISA deadline was December 24, 2024.
2. Immediately disable internet access to the ProjectSend instance until patched — the exploitation automation was fast and widespread.
3. Audit the ProjectSend upload directory for PHP files that should not be there — web shell files typically have .php, .php5, or .phtml extensions.
4. Review ProjectSend user accounts for accounts created by attackers via the enabled registration feature.
5. Check options.php settings for unexpected configuration changes: custom JavaScript injection, modified upload paths, or altered registration settings.
6. Rotate all passwords for legitimate ProjectSend users — if JavaScript injection was active, session tokens and form-submitted passwords may have been captured.