🚨 CRITICAL ALERT: Active Zero-Day Exploits
Two Critical vulnerabilities with CVSS scores of 9.8 and 10.0 are actively exploited in the wild, with attackers already targeting public-facing instances of ProjectSend and causing unauthenticated SSRF on SMA1000 Appliances; immediate patching is mandatory to prevent full system compromise, webshell uploads, and unauthorized configuration changes.
Critical Vulnerabilities (CVSS >= 8.0)
- CVE-2024-11680 (CVSS: 9.8): ProjectSend versions prior to r1720 suffer an improper authentication vulnerability allowing remote, unauthenticated attackers to modify configuration via
options.php, enabling account creation, webshell uploads, and malicious JavaScript injection; 99% of public instances remain vulnerable with active exploitation observed since September 2024 and public Metasploit/Nuclei modules available[1][2][4]. View NVD | CISA KEV - CVE-2026-15409 (CVSS: 10.0): SMA1000 Appliance Work Place interface contains a Server-side Request Forgery (SSRF) flaw allowing remote unauthenticated attackers to force the appliance to send requests to unintended locations, enabling data exfiltration or internal network abuse; listed in CISA KEV as of July 14, 2026[2]. View NVD | CISA KEV
âš¡ Immediate Actions Required
For ProjectSend (CVE-2024-11680): Upgrade immediately to version r1720 or later; if upgrade is delayed, restrict access to options.php via firewall/web server rules (.htaccess or nginx location blocks), audit user accounts for unauthorized additions, scan upload directories for webshells, and disable the application if sensitive data is present[2][5]. Block options.php at the web server level and place installations behind a VPN or enforce IP whitelisting[2].
For SMA1000 Appliance (CVE-2026-15409): Apply the vendor-patched firmware immediately; restrict Work Place interface access to authorized networks only, disable unused SSRF-capable endpoints, and monitor appliance outbound traffic for suspicious requests to unintended destinations[2].
General: Treat both as urgent priority due to CISA KEV listing, active exploitation, and public exploit availability; conduct incident response scans for webshells, unauthorized accounts, and configuration tampering[1][2].

