CVE-2024-51567
Published: 29 October 2024
Summary
CVE-2024-51567 is a critical-severity Missing Authentication for Critical Function (CWE-306) vulnerability in Cyberpanel Cyberpanel. Its CVSS base score is 10.0 (Critical).
Operationally, ranked in the top 0.0% of CVEs by exploit likelihood; CISA has added it to the Known Exploited Vulnerabilities catalog; a public proof-of-concept is referenced.
The strongest mitigations our analysis identified are NIST 800-53 AC-3 (Access Enforcement) and SI-10 (Information Input Validation).
Deeper analysis
CyberPanel, an open-source web hosting control panel, contains a critical authentication bypass and command injection vulnerability in the upgrademysqlstatus function within databases/views.py. The flaw affects all versions through 2.3.6 and unpatched 2.3.7 prior to commit 5b08cd6, allowing unauthenticated remote attackers to reach the endpoint /dataBases/upgrademysqlstatus. Because secMiddleware is applied only to POST requests, an attacker can submit a GET request containing shell metacharacters in the statusfile parameter to execute arbitrary operating-system commands with the privileges of the CyberPanel process.
An unauthenticated attacker can therefore achieve full remote code execution on the underlying server, including the ability to read or modify hosted data, alter system configurations, or pivot to other assets. The vulnerability carries a CVSS score of 10.0 and is tracked under CWE-306 (Missing Authentication for Critical Function) and related injection weaknesses.
CyberPanel’s official change-log and security advisory describe the issue and direct users to apply the patch released after disclosure; administrators are advised to upgrade immediately to a build containing commit 5b08cd6 or later and to restrict administrative interfaces from untrusted networks until the update is complete.
The flaw was exploited in the wild in October 2024 by the threat actor PSAUX, and the current EPSS of 0.9431 indicates sustained exploitation interest following public disclosure.
EU & UK References
- 🇪🇺 ENISA EUVD: EUVD-2024-45733
Vulnerability details
upgrademysqlstatus in databases/views.py in CyberPanel (aka Cyber Panel) before 5b08cd6 allows remote attackers to bypass authentication and execute arbitrary commands via /dataBases/upgrademysqlstatus by bypassing secMiddleware (which is only for a POST request) and using shell metacharacters in the statusfile property,…
more
as exploited in the wild in October 2024 by PSAUX. Versions through 2.3.6 and (unpatched) 2.3.7 are affected.
- CWE(s)
- KEV Date Added
- 07 November 2024
Related Threats
Threat-Actor AttributionAI
Affected Assets
Mitigating Controls
Mitigating Controls (NIST 800-53 r5) AI
Directly enforces authentication and authorization checks on the /dataBases/upgrademysqlstatus endpoint before any command execution can occur.
Requires validation and sanitization of the statusfile parameter to block shell metacharacters that enable arbitrary command injection.
Limits privileges of the CyberPanel web process so that even a successful injection yields only minimal system impact.