A critical remote code execution vulnerability exists within ProjectSend software, identified as CVE-2023-53980. This flaw allows an unauthenticated attacker to upload a malicious file disguised as a legitimate one, leading to a complete compromise of the server. Successful exploitation could result in data theft, service disruption, and unauthorized access to the underlying system.

The vulnerability exists in the file upload functionality, specifically within the upload.process.php endpoint. The application fails to properly validate the extensions of uploaded files, creating an unrestricted file upload condition. An attacker can exploit this by crafting a malicious script (e.g., a PHP web shell) and disguising it with a seemingly benign extension (e.g., shell.php.jpg). The system may bypass initial checks but allow the web server to interpret and execute the file as a script, granting the attacker the ability to run arbitrary commands on the server with the permissions of the web server process.

This vulnerability is rated as critical severity with a CVSS score of 9.8. Exploitation can lead to a complete system compromise, posing a severe risk to the business. Potential consequences include the theft or destruction of all sensitive data managed by the ProjectSend application, significant operational downtime, and reputational damage. A compromised server can also be used as a staging point for further attacks against the internal network, escalating the incident's impact across the organization.

Immediate Action:

• Immediately apply the security patches provided by the vendor. Update ProjectSend Multiple Products to the latest version that addresses this vulnerability.
• Consult the official ProjectSend security advisory for specific patch details and version information.
• Review web server access logs for any suspicious POST requests to upload.process.php and investigate for signs of existing compromise.

Proactive Monitoring:

• Log Analysis: Scrutinize web server and application logs for requests to upload.process.php. Look for uploaded files with double extensions (e.g., .php.png, .phtml) or unusual file names.
• Network Traffic: Monitor for unexpected outbound network connections from the ProjectSend server, which could indicate a reverse shell or data exfiltration.
• System Integrity: Implement file integrity monitoring (FIM) to detect the creation of unauthorized executable files (e.g., .php, .sh) in web-accessible directories. Monitor for suspicious processes running under the web server's user account.

Compensating Controls:

• Web Application Firewall (WAF): If patching is delayed, deploy a WAF rule to strictly inspect and block file uploads containing scripting extensions or patterns indicative of this attack.
• Disable Uploads: Temporarily disable the file upload functionality if it is not essential for business operations until the system can be patched.
• Harden Permissions: Ensure that the directory where files are uploaded does not have script execution permissions. The web server user account should have minimal necessary privileges.

Public Exploit Available: false

Given the critical CVSS score of 9.8 and the potential for complete system compromise, this vulnerability requires immediate attention. We strongly recommend that organizations using affected versions of ProjectSend apply the vendor-supplied patches as the highest priority. Although not currently on the CISA KEV list, the ease of exploitation makes it a highly attractive target. Organizations should proceed with patching immediately and conduct a thorough investigation for any indicators of compromise.