CVE-2024-51568
Published: 29 October 2024
Summary
CVE-2024-51568 is a critical-severity OS Command Injection (CWE-78) vulnerability in Cyberpanel Cyberpanel. Its CVSS base score is 10.0 (Critical).
Operationally, ranked in the top 0.2% of CVEs by exploit likelihood; it is not currently listed in the CISA KEV catalog; a public proof-of-concept is referenced.
Deeper analysis
CyberPanel versions prior to 2.3.5 contain a command injection vulnerability in the ProcessUtilities.outputExecutioner() sink when handling the completePath parameter. The flaw is exposed through the unauthenticated /filemanager/upload endpoint and permits arbitrary command execution via shell metacharacters, corresponding to CWE-78. The issue received a CVSS 3.1 score of 10.0, reflecting network-accessible exploitation without credentials or user interaction and full compromise of confidentiality, integrity, and availability in the affected scope.
An unauthenticated remote attacker can submit a malicious upload request containing shell metacharacters to achieve unauthenticated remote code execution on the CyberPanel host. Successful exploitation grants the attacker the ability to run arbitrary operating-system commands with the privileges of the web-server process, enabling full system takeover.
Vendor change logs and the CyberPanel 2.3.5 release announcement indicate that the issue is resolved by upgrading to version 2.3.5 or later. The current EPSS score of 0.9304 reflects a high probability of exploitation in the wild.
EU & UK References
- 🇪🇺 ENISA EUVD: EUVD-2024-45405
Vulnerability details
CyberPanel (aka Cyber Panel) before 2.3.5 allows Command Injection via completePath in the ProcessUtilities.outputExecutioner() sink. There is /filemanager/upload (aka File Manager upload) unauthenticated remote code execution via shell metacharacters.
- CWE(s)
Related Threats
No named actor attribution yet. ATT&CK technique mapping in progress for this CVE.
Affected Assets
Mitigating Controls
Likely Mitigating Controls AI
Per-CVE control mapping for this CVE has not run yet; the list below is derived from the weakness types (CWEs) cited in the NVD entry.