CVE-2024-51378
Published: 29 October 2024
Summary
CVE-2024-51378 is a critical-severity OS Command Injection (CWE-78) vulnerability in Cyberpanel Cyberpanel. Its CVSS base score is 10.0 (Critical).
Operationally, ranked in the top 0.1% of CVEs by exploit likelihood; CISA has added it to the Known Exploited Vulnerabilities catalog; a public proof-of-concept is referenced.
The strongest mitigations our analysis identified are NIST 800-53 AC-3 (Access Enforcement) and SI-10 (Information Input Validation).
Deeper analysis
CyberPanel versions through 2.3.6 and unpatched 2.3.7 contain an OS command injection vulnerability in the getresetstatus functions of dns/views.py and ftp/views.py. The flaw allows remote attackers to bypass secMiddleware, which is applied only to POST requests, and execute arbitrary commands by supplying shell metacharacters in the statusfile parameter to the /dns/getresetstatus or /ftp/getresetstatus endpoints.
Unauthenticated attackers reachable over the network can exploit the issue to obtain full system compromise with impacts to confidentiality, integrity, and availability. The vulnerability carries a CVSS score of 10.0 and was observed being exploited in the wild in October 2024.
The project advisory and changelog describe mitigation through application of the patch at commit 1c0c6cbcf71abe573da0b5fddfb9603e7477f683, which addresses the authentication bypass and command injection paths in the affected views.
The current EPSS of 0.9385, with a peak of 0.9410, aligns with confirmed real-world exploitation activity against the product.
EU & UK References
- 🇪🇺 ENISA EUVD: EUVD-2024-45807
Vulnerability details
getresetstatus in dns/views.py and ftp/views.py in CyberPanel (aka Cyber Panel) before 1c0c6cb allows remote attackers to bypass authentication and execute arbitrary commands via /dns/getresetstatus or /ftp/getresetstatus by bypassing secMiddleware (which is only for a POST request) and using shell metacharacters…
more
in the statusfile property, as exploited in the wild in October 2024 by PSAUX. Versions through 2.3.6 and (unpatched) 2.3.7 are affected.
- CWE(s)
- KEV Date Added
- 04 December 2024
Related Threats
Threat-Actor AttributionAI
Affected Assets
Mitigating Controls
Mitigating Controls (NIST 800-53 r5) AI
Directly blocks the unauthenticated access to /dns/getresetstatus and /ftp/getresetstatus that bypasses secMiddleware.
Requires validation and sanitization of the statusfile parameter to reject shell metacharacters that enable command injection.
Mandates prompt application of the patch in commit 1c0c6cb to eliminate the authentication-bypass and command-execution paths.