CVE-2024-53376
Published: 16 December 2024
Summary
CVE-2024-53376 is a high-severity OS Command Injection (CWE-78) vulnerability in Cyberpanel Cyberpanel. Its CVSS base score is 8.8 (High).
Operationally, exploitation aligns with the MITRE ATT&CK technique Exploit Public-Facing Application (T1190); ranked in the top 0.3% of CVEs by exploit likelihood; it is not currently listed in the CISA KEV catalog; a public proof-of-concept is referenced.
Deeper analysis
CyberPanel versions prior to 2.3.8 contain an OS command injection vulnerability (CWE-78) that permits remote authenticated users to execute arbitrary commands. The flaw is triggered when unsanitized shell metacharacters are supplied in the phpSelection parameter to the websites/submitWebsiteCreation endpoint, allowing the input to be passed directly to an underlying system shell.
An attacker with a valid CyberPanel account can therefore achieve full command execution on the server. The CVSS 8.8 vector reflects network accessibility, low attack complexity, and low privileges, resulting in complete compromise of confidentiality, integrity, and availability without user interaction.
Public proof-of-concept code has been released that demonstrates the injection and provides ready-to-use exploit scripts. No official vendor advisory or patch details appear in the supplied references; the version constraint indicates that upgrading to CyberPanel 2.3.8 or later is the intended remediation. The associated EPSS score of 0.9117 reflects substantial exploitation interest following disclosure.
EU & UK References
- 🇪🇺 ENISA EUVD: EUVD-2024-51960
Vulnerability details
CyberPanel before 2.3.8 allows remote authenticated users to execute arbitrary commands via shell metacharacters in the phpSelection field to the websites/submitWebsiteCreation URI.
- CWE(s)
Related Threats
MITRE ATT&CK Enterprise TechniquesAI
Why these techniques?
Authenticated OS command injection via shell metacharacters in CyberPanel web panel (public-facing application) enables exploitation (T1190) and remote Unix shell command execution (T1059.004) as root.
Affected Assets
Mitigating Controls
Likely Mitigating Controls AI
Per-CVE control mapping for this CVE has not run yet; the list below is derived from the weakness types (CWEs) cited in the NVD entry.