Vulnerability Details CVE-2024-51378
getresetstatus in dns/views.py and ftp/views.py in CyberPanel (aka Cyber Panel) before 1c0c6cb allows remote attackers to bypass authentication and execute arbitrary commands via /dns/getresetstatus or /ftp/getresetstatus by bypassing secMiddleware (which is only for a POST request) and using shell metacharacters in the statusfile property, as exploited in the wild in October 2024 by PSAUX. Versions through 2.3.6 and (unpatched) 2.3.7 are affected.
Exploit prediction scoring system (EPSS) score
EPSS Score 0.941
EPSS Ranking 99.9%
CVSS Severity
CVSS v3 Score 10.0
Proposed Action
CyberPanel contains an incorrect default permissions vulnerability that allows for authentication bypass and the execution of arbitrary commands using shell metacharacters in the statusfile property.
Ransomware Campaign
Known
References
- https://cwe.mitre.org/data/definitions/420.html
- https://cwe.mitre.org/data/definitions/78.html
- https://cyberpanel.net/KnowledgeBase/home/change-logs/
- https://cyberpanel.net/blog/detials-and-fix-of-recent-security-issue-and-patch-of-cyberpanel
- https://github.com/usmannasir/cyberpanel/commit/1c0c6cbcf71abe573da0b5fddfb9603e7477f683
- https://refr4g.github.io/posts/cyberpanel-command-injection-vulnerability/
- https://www.bleepingcomputer.com/news/security/massive-psaux-ransomware-attack-targets-22-000-cyberpanel-instances/
Products affected by CVE-2024-51378
-
cpe:2.3:a:cyberpanel:cyberpanel:-
-
cpe:2.3:a:cyberpanel:cyberpanel:1.7.1
-
cpe:2.3:a:cyberpanel:cyberpanel:1.7.2
-
cpe:2.3:a:cyberpanel:cyberpanel:1.7.3
-
cpe:2.3:a:cyberpanel:cyberpanel:1.7.4
-
cpe:2.3:a:cyberpanel:cyberpanel:1.7.5
-
cpe:2.3:a:cyberpanel:cyberpanel:1.7.6
-
cpe:2.3:a:cyberpanel:cyberpanel:1.7.7
-
cpe:2.3:a:cyberpanel:cyberpanel:1.8.1
-
cpe:2.3:a:cyberpanel:cyberpanel:1.8.2
-
cpe:2.3:a:cyberpanel:cyberpanel:1.8.3
-
cpe:2.3:a:cyberpanel:cyberpanel:1.8.4
-
cpe:2.3:a:cyberpanel:cyberpanel:1.8.5
-
cpe:2.3:a:cyberpanel:cyberpanel:1.8.7
-
cpe:2.3:a:cyberpanel:cyberpanel:1.8.8
-
cpe:2.3:a:cyberpanel:cyberpanel:1.8.9
-
cpe:2.3:a:cyberpanel:cyberpanel:1.9.0
-
cpe:2.3:a:cyberpanel:cyberpanel:1.9.1
-
cpe:2.3:a:cyberpanel:cyberpanel:1.9.2
-
cpe:2.3:a:cyberpanel:cyberpanel:1.9.3
-
cpe:2.3:a:cyberpanel:cyberpanel:1.9.4
-
cpe:2.3:a:cyberpanel:cyberpanel:2.0.0
-
cpe:2.3:a:cyberpanel:cyberpanel:2.0.1
-
cpe:2.3:a:cyberpanel:cyberpanel:2.0.2
-
cpe:2.3:a:cyberpanel:cyberpanel:2.0.3
-
cpe:2.3:a:cyberpanel:cyberpanel:2.1.1
-
cpe:2.3:a:cyberpanel:cyberpanel:2.1.2
-
cpe:2.3:a:cyberpanel:cyberpanel:2.3.4
-
cpe:2.3:a:cyberpanel:cyberpanel:2.3.5
-
cpe:2.3:a:cyberpanel:cyberpanel:2.3.6
-
cpe:2.3:a:cyberpanel:cyberpanel:2.3.7