CVE-2014-9567

ProjectSend r100-r561 - Unauthenticated Arbitrary File Upload and Remote Code Execution via process-upload.php

Title source: llm
STIX 2.1

Exploitation Summary

EIP tracks 3 public exploits for CVE-2014-9567. PoCs published by Metasploit, Fady Mohammed Osman, Fady Mohammed Osman, bcoles, including Metasploit module exploits/unix/webapp/projectsend_upload_exec.

AI-analyzed exploit summary This Metasploit module exploits an unauthenticated arbitrary file upload vulnerability in ProjectSend (revisions 100-561) via 'process-upload.php', allowing remote code execution as the web server user.

Description

Unrestricted file upload vulnerability in process-upload.php in ProjectSend (formerly cFTP) r100 through r561 allows remote attackers to execute arbitrary PHP code by uploading a file with a PHP extension, then accessing it via a direct request to the file in the upload/files/ or upload/temp/ directory.

Exploits (3)

exploitdb WORKING POC VERIFIED
by Metasploit · rubyremotephp
https://www.exploit-db.com/exploits/35660

This Metasploit module exploits an unauthenticated arbitrary file upload vulnerability in ProjectSend (revisions 100-561) via 'process-upload.php', allowing remote code execution as the web server user.

Classification
Working Poc 100%
Attack Type
Rce
Complexity
Trivial
Reliability
Reliable
Target: ProjectSend revisions 100 to 561
No auth needed
Prerequisites: Network access to the target · ProjectSend installation with vulnerable 'process-upload.php'
devstral-2 · analyzed Feb 16, 2026 Full analysis →
exploitdb WORKING POC
by Fady Mohammed Osman · pythonwebappsphp
https://www.exploit-db.com/exploits/35424

This exploit leverages an arbitrary file upload vulnerability in ProjectSend r-561 by bypassing file extension restrictions via the 'name' parameter in the upload request. It allows an attacker to upload a malicious file (e.g., a PHP shell) to achieve remote code execution.

Classification
Working Poc 90%
Attack Type
Rce
Complexity
Trivial
Reliability
Reliable
Target: ProjectSend r-561
No auth needed
Prerequisites: Network access to the target · A malicious file to upload (e.g., PHP shell)
devstral-2 · analyzed Feb 16, 2026 Full analysis →
metasploit WORKING POC EXCELLENT
by Fady Mohammed Osman, bcoles · rubypocphp
https://github.com/rapid7/metasploit-framework/blob/master/modules/exploits/unix/webapp/projectsend_upload_exec.rb

This Metasploit module exploits an unauthenticated arbitrary file upload vulnerability in ProjectSend (CVE-2014-9567) by uploading a PHP payload via 'process-upload.php' and executing it to achieve remote code execution as the web server user.

Classification
Working Poc 100%
Attack Type
Rce
Complexity
Trivial
Reliability
Reliable
Target: ProjectSend revisions 100 to 561
No auth needed
Prerequisites: Network access to the target · ProjectSend installation with vulnerable 'process-upload.php'
devstral-2 · analyzed Feb 16, 2026 Full analysis →

References (5)

Core 5
Core References
Exploit exploit x_refsource_exploit-db
http://www.exploit-db.com/exploits/35424
Exploit exploit x_refsource_exploit-db
http://www.exploit-db.com/exploits/35660
Third Party Advisory, VDB Entry vdb-entry x_refsource_xf
https://exchange.xforce.ibmcloud.com/vulnerabilities/99548
Third Party Advisory, VDB Entry vdb-entry x_refsource_osvdb
http://osvdb.org/show/osvdb/116469

Scores

EPSS 0.4334
EPSS Percentile 98.6%

Details

CWE
CWE-94
Status published
Products (15)
projectsend/projectsend 100
projectsend/projectsend 102
projectsend/projectsend 105
projectsend/projectsend 110
projectsend/projectsend 155
projectsend/projectsend 156
projectsend/projectsend 157
projectsend/projectsend 161
projectsend/projectsend 180
projectsend/projectsend 335
... and 5 more
Published Jan 07, 2015
Tracked Since Feb 18, 2026