Patch now! Attacks on file-sharing platform ProjectSend observed
Even though a security patch for ProjectSend has been available for more than a year, countless instances are obviously still vulnerable.
(Image: solarseven/Shutterstock.com)
Security researchers warn of renewed attacks on the ProjectSend file-sharing platform. Attackers are using a critical vulnerability to nest in via a backdoor. A security update has been available since May 2023.
Several exploits in circulation
Security researchers from VulnCheck warn of the attacks in an article. They state that the"critical" vulnerability, which has only now been given a CVE number (CVE2024-11680), has been known since January 2023. In May 2023, the developers published a security update.
Videos by heise
According to the researchers, however, this patch has only been installed on one percent of the ProjectSend servers that are publicly accessible via the internet. Accordingly, there have already been attacks in the past. Admins should now act without hesitation and secure their instances against the attacks. ProjectSend r1720 is prepared for this.
Due to insufficient authentication checks, attackers can, among other things, create entries for permitted extensions in a whitelist in order to upload and execute their own code.
(des)
