CVE-2024-11680

CRITICAL KEV NUCLEI

ProjectSend < r1720 - Unauthenticated Configuration Modification via options.php

Title source: llm

Exploitation Summary

CVE-2024-11680 is actively exploited and listed in the CISA Known Exploited Vulnerabilities (KEV) catalog, added December 3, 2024. EIP tracks 4 public exploits from researchers including iSee857, D3N14LD15K, qucklecrabik, including a Metasploit module exploits/linux/http/projectsend_unauth_rce. A Nuclei detection template is also available.

AI-analyzed exploit summary The repository contains functional exploit code for CVE-2024-11680, specifically targeting Altenergy with a SQL injection vulnerability. The script sends a crafted payload to the '/index.php/display/status_zigbee' endpoint and checks for a specific response pattern to confirm exploitation.

Description

ProjectSend versions prior to r1720 are affected by an improper authentication vulnerability. Remote, unauthenticated attackers can exploit this flaw by sending crafted HTTP requests to options.php, enabling unauthorized modification of the application's configuration. Successful exploitation allows attackers to create accounts, upload webshells, and embed malicious JavaScript.

Exploits (4)

github WORKING POC 40 stars

by iSee857 · pythonpoc

https://github.com/iSee857/CVE-PoC/tree/main/ProjectSend(CVE-2024-11680).py

View Code ZIP pw:eip

The repository contains functional exploit code for CVE-2024-11680, specifically targeting Altenergy with a SQL injection vulnerability. The script sends a crafted payload to the '/index.php/display/status_zigbee' endpoint and checks for a specific response pattern to confirm exploitation.

Classification

Working Poc 90%

Attack Type

Sqli

Complexity

Moderate

Reliability

Reliable

Target: Altenergy

No auth needed

Prerequisites: network access to the target · target endpoint '/index.php/display/status_zigbee'

MITRE ATT&CK

T1190 - Exploit Public-Facing Application T1059 - Command and Scripting Interpreter

devstral-2 · analyzed Feb 27, 2026 Full analysis →

nomisec WORKING POC 12 stars

by D3N14LD15K · remote

https://github.com/D3N14LD15K/CVE-2024-11680_PoC_Exploit

View Code ZIP pw:eip

This repository contains a functional PoC exploit for CVE-2024-11680, targeting an improper authentication flaw in ProjectSend r1605 and older versions. The exploit demonstrates privilege misconfiguration by modifying the application title, enabling insecure options, and registering a new user.

Classification

Working Poc 95%

Attack Type

Auth Bypass

Complexity

Moderate

Reliability

Reliable

Target: ProjectSend r1605 and older

No auth needed

Prerequisites: Target running ProjectSend r1605 or earlier · curl installed on the attacker's machine

MITRE ATT&CK

T1189 - Drive-by Compromise T1068 - Exploitation for Privilege Escalation

devstral-2 · analyzed Feb 18, 2026 Full analysis →

nomisec WORKING POC

by qucklecrabik · remote

https://github.com/qucklecrabik/CVE-2024-11680

View Code ZIP pw:eip

This repository contains a functional Python exploit for CVE-2024-11680, targeting ProjectSend. The exploit chains CSRF token bypass, insecure client registration, and unrestricted file upload to achieve unauthenticated remote code execution via a PHP web shell.

Classification

Working Poc 95%

Attack Type

Rce

Complexity

Moderate

Reliability

Reliable

Target: ProjectSend

No auth needed

Prerequisites: Python 3.x · requests library · colorama library

MITRE ATT&CK

T1190 - Exploit Public-Facing Application T1059 - Command and Scripting Interpreter T1203 - Exploitation for Client Execution

devstral-2 · analyzed Apr 09, 2026 Full analysis →

metasploit WORKING POC EXCELLENT

by Florent Sicchio, Hugo Clout, ostrichgolf · rubypocphp

https://github.com/rapid7/metasploit-framework/blob/master/modules/exploits/linux/http/projectsend_unauth_rce.rb

View Code ZIP pw:eip

This Metasploit module exploits an improper authorization vulnerability in ProjectSend (r1295-r1605) to achieve unauthenticated remote code execution by enabling user registration, disabling file extension restrictions, and uploading a malicious PHP file.

Classification

Working Poc 100%

Attack Type

Rce

Complexity

Moderate

Reliability

Reliable

Target: ProjectSend r1295 - r1605

No auth needed

Prerequisites: Target must have ProjectSend r1295-r1605 installed · Network access to the target

MITRE ATT&CK

T1190 - Exploit Public-Facing Application T1505.003 - Web Shell

devstral-2 · analyzed Feb 16, 2026 Full analysis →

Nuclei Templates (1)

ProjectSend <= r1605 - Improper Authorization

CRITICALVERIFIEDby DhiyaneshDK

Shodan: http.html:"projectsend" || http.html:"projectsend setup" || http.html:"provided by projectsend"

FOFA: body="projectsend" || body="projectsend setup" || body=provided by projectsend

References (6)

Core 6

Core References

US Government Resource

https://www.cisa.gov/known-exploited-vulnerabilities-catalog?field_cve=CVE-2024-11680

Patch patch

https://github.com/projectsend/projectsend/commit/193367d937b1a59ed5b68dd4e60bd53317473744

Mitigation, Technical Description, Third Party Advisory third-party-advisory exploit

https://www.synacktiv.com/sites/default/files/2024-07/synacktiv-projectsend-multiple-vulnerabilities.pdf

Exploit exploit

https://github.com/rapid7/metasploit-framework/blob/master/modules/exploits/linux/http/projectsend_unauth_rce.rb

Broken Link, Third Party Advisory exploit

https://github.com/projectdiscovery/nuclei-templates/blob/main/http/vulnerabilities/projectsend-auth-bypass.yaml

Third Party Advisory third-party-advisory

https://vulncheck.com/advisories/projectsend-bypass

Scores

CVSS v3 9.8

EPSS 0.9156

EPSS Percentile 99.8%

Attack Vector NETWORK

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

CISA SSVC

Vulnrichment

Exploitation active

Automatable yes

Technical Impact total

Details

CISA KEV 2024-12-03

VulnCheck KEV 2024-11-26

InTheWild.io 2024-12-03

ENISA EUVD EUVD-2024-34152

CWE

CWE-306

Status published

Products (1)

projectsend/projectsend < r1720

Published Nov 26, 2024

KEV Added Dec 03, 2024

Tracked Since Feb 18, 2026