What happened

CISA added CVE-2024-11680 to the Known Exploited Vulnerabilities (KEV) catalog on 2024-12-03, signaling observed exploitation in the wild CISA KEV. The issue is an improper authentication bug in ProjectSend that allows unauthenticated changes to application configuration via crafted HTTP requests to options.php CISA KEV. CISA’s description states successful exploitation can let attackers create accounts, upload webshells, and embed malicious JavaScript CISA KEV.

NVD tracks the flaw as CVE-2024-11680 and maps it to CWE-287 (Improper Authentication) NVD entry. The MITRE CVE record aligns on the identifier and vulnerability class MITRE CVE. CISA set a remediation due date of 2024-12-24 for covered entities CISA KEV.

Why it matters

Unauthenticated configuration control is immediate foothold territory: the attacker doesn’t need valid creds to flip security-relevant switches CISA KEV. From there, the path to persistent access is short—account creation and webshell placement are explicitly called out as observed outcomes CISA KEV. Malicious JavaScript injection broadens impact to session theft, user targeting, and lateral movement through browser-trusted contexts CISA KEV.

ProjectSend instances are often internet-exposed to serve file workflows; an unauthenticated config-write primitive on that surface is high-value for automated scan-to-own campaigns NVD entry. KEV inclusion means exploitation is not hypothetical—federal agencies are mandated to remediate by the due date, which is CISA’s threshold for material risk CISA KEV.

Technical detail

CVE-2024-11680 is categorized under CWE-287, indicating insufficient or missing checks to confirm user identity before allowing sensitive operations NVD entry. In this case, crafted HTTP requests to options.php allow unauthorized modification of application configuration without authentication CISA KEV. As reported by CISA, post-exploitation outcomes include:

• Creating user accounts to formalize access persistence CISA KEV.
• Uploading webshells to execute arbitrary server-side actions through the application’s file handling paths CISA KEV.
• Embedding malicious JavaScript to hijack sessions or pivot via stored/reflective execution paths in the app UI CISA KEV.

The vulnerability is tracked in NVD and MITRE with consistent identifiers and weakness classification, supporting the authentication-bypass nature rather than an authorization-only mischeck NVD entry MITRE CVE.

Defense

• Patch/mitigate now. CISA directs organizations to apply vendor mitigations or discontinue use where mitigations are unavailable, with a KEV due date of 2024-12-24 for federal enterprises CISA KEV.
• Gate the blast radius. Until fully remediated, restrict external access to options.php and administrative endpoints via reverse proxy controls or temporary IP allowlists, as the weakness is unauthenticated config modification CISA KEV NVD entry.
• Hunt and contain:

- Review recent configuration changes and audit logs around options.php requests, especially unauthenticated POSTs CISA KEV.

- Enumerate newly created accounts and privilege changes since first public tracking; treat unknown additions as suspect CISA KEV.

- Inspect upload directories and temporary paths for webshell indicators (e.g., unexpected executable scripts) tied to ProjectSend’s file handling CISA KEV.

- Sweep for injected JavaScript in templates, stored content, or database fields that render in the UI CISA KEV.

• Monitoring rules of thumb, mapped to the exploit chain:

- Network: spikes of POSTs to options.php from scanners/TOR/VPN ASNs CISA KEV.

- App: config diffs without preceding authentication events NVD entry.

- App: sequential pattern—config change → account creation → file upload—within short intervals CISA KEV.

Federal agencies must complete remediation by the KEV due date; private sector should treat parity as table stakes when exploitation is confirmed CISA KEV.

Lyrie Verdict

This CVE is built for automation: one unauthenticated endpoint, end-to-end takeover in minutes via config write, account minting, and shell drop CISA KEV. Lyrie’s autonomous detectors chain these signals at machine speed: anomalous unauthenticated POSTs to options.php, followed by config mutation deltas, followed by new-account events and suspicious uploads—correlated within a sliding window and quarantined before session handoff NVD entry. For rogue-AI operators iterating at scan velocity, we meet them with policy that auto-restricts the endpoint, blocks the transaction sequence, and isolates the node on first correlated hit—not after an analyst reviews logs CISA KEV.