Experiencing a Breach?Blog
Get StartedContact Us
SentinelOne
Get StartedContact Us
CVE Vulnerability Database
Vulnerability Database/CVE-2024-51378

CVE-2024-51378: CyberPanel Auth Bypass Vulnerability

CVE-2024-51378 is an authentication bypass flaw in CyberPanel that allows attackers to execute arbitrary commands remotely. This article covers the technical details, affected versions, impact, and mitigation.

Published:

CVE-2024-51378 Overview

CVE-2024-51378 is a critical authentication bypass and command injection vulnerability affecting CyberPanel, a popular web hosting control panel. The vulnerability exists in the getresetstatus function within dns/views.py and ftp/views.py, allowing remote attackers to bypass authentication mechanisms and execute arbitrary commands on affected systems. This vulnerability has been actively exploited in the wild, notably by the PSAUX ransomware group in October 2024, resulting in a massive attack campaign targeting approximately 22,000 CyberPanel instances.

Critical Impact

This vulnerability enables unauthenticated remote attackers to achieve complete system compromise through command injection. It has been actively exploited by ransomware operators and is listed in CISA's Known Exploited Vulnerabilities (KEV) catalog.

Affected Products

  • CyberPanel versions through 2.3.6
  • CyberPanel version 2.3.7 (unpatched)
  • CyberPanel versions prior to commit 1c0c6cb

Discovery Timeline

  • 2024-10-29 - CVE-2024-51378 published to NVD
  • 2025-11-07 - Last updated in NVD database

Technical Details for CVE-2024-51378

Vulnerability Analysis

This vulnerability combines two distinct security weaknesses: an authentication bypass (CWE-420) and OS command injection (CWE-78). The authentication middleware (secMiddleware) in CyberPanel is designed to protect sensitive endpoints but contains a critical flaw—it only validates POST requests. Attackers can exploit this oversight by sending requests using alternative HTTP methods to the /dns/getresetstatus or /ftp/getresetstatus endpoints, effectively bypassing authentication entirely.

Once authentication is bypassed, the vulnerability allows injection of shell metacharacters through the statusfile property. The application fails to properly sanitize user-supplied input before passing it to system shell commands, enabling arbitrary command execution with the privileges of the CyberPanel service account.

Root Cause

The root cause of this vulnerability stems from two compounding security failures. First, the security middleware implementation only enforces authentication checks on POST requests, leaving other HTTP methods unprotected. Second, the getresetstatus function in both dns/views.py and ftp/views.py directly incorporates the statusfile parameter into shell command execution without proper input validation or sanitization. This combination allows attackers to reach the vulnerable code path without credentials and inject malicious commands through the unsanitized parameter.

Attack Vector

The attack exploits network-accessible endpoints with no authentication required and no user interaction necessary. An attacker can craft HTTP requests to either /dns/getresetstatus or /ftp/getresetstatus endpoints using a method other than POST to bypass the security middleware. By including shell metacharacters (such as semicolons, pipes, or backticks) in the statusfile property, the attacker can inject and execute arbitrary system commands. The PSAUX ransomware campaign demonstrated this attack at scale, leveraging the vulnerability to deploy ransomware across thousands of internet-exposed CyberPanel installations.

The vulnerability mechanism involves the following attack flow: the attacker sends a crafted request to the vulnerable endpoint, bypassing the middleware that only checks POST requests. The malicious statusfile parameter value containing shell metacharacters is then passed unsanitized to a shell command, resulting in arbitrary command execution on the host system.

Detection Methods for CVE-2024-51378

Indicators of Compromise

  • Unusual HTTP requests to /dns/getresetstatus or /ftp/getresetstatus endpoints, particularly using non-POST methods
  • Presence of shell metacharacters (;, |, $(), backticks) in request parameters targeting CyberPanel
  • Unexpected process spawning from CyberPanel service accounts
  • Signs of PSAUX ransomware activity including encrypted files and ransom notes

Detection Strategies

  • Monitor web server access logs for requests to the affected endpoints with suspicious parameter values
  • Implement intrusion detection rules to flag requests containing shell metacharacters in the statusfile parameter
  • Deploy web application firewall (WAF) rules to block command injection patterns targeting CyberPanel endpoints
  • Review system logs for unauthorized command execution originating from CyberPanel processes

Monitoring Recommendations

  • Enable detailed logging for all CyberPanel HTTP requests and system command executions
  • Set up alerts for authentication bypass attempts and anomalous access patterns to administrative endpoints
  • Monitor for new user accounts, SSH keys, or persistence mechanisms that may indicate post-exploitation activity
  • Track network connections from CyberPanel servers to identify potential command-and-control communications

How to Mitigate CVE-2024-51378

Immediate Actions Required

  • Update CyberPanel immediately to a version containing commit 1c0c6cb or later
  • If patching is not immediately possible, restrict network access to CyberPanel management interfaces
  • Review system logs for evidence of exploitation and investigate any suspicious activity
  • Consider taking affected CyberPanel instances offline until patched if they are internet-facing

Patch Information

CyberPanel has released a security patch addressing this vulnerability. The fix is available in GitHub commit 1c0c6cbcf71abe573da0b5fddfb9603e7477f683. Users should update to the latest version of CyberPanel that includes this fix. Additional details about the vulnerability and patch are available in the CyberPanel Security Patch Details blog post.

Workarounds

  • Implement firewall rules to block external access to /dns/getresetstatus and /ftp/getresetstatus endpoints
  • Deploy a reverse proxy or WAF with rules to block requests containing shell metacharacters in query parameters
  • Restrict CyberPanel access to trusted IP addresses only using network-level access controls
  • Consider disabling the affected DNS and FTP functionality if not required until a patch can be applied
bash
# Example: Block access to vulnerable endpoints using iptables
# Restrict access to CyberPanel port (default 8090) to trusted IPs only
iptables -A INPUT -p tcp --dport 8090 -s TRUSTED_IP -j ACCEPT
iptables -A INPUT -p tcp --dport 8090 -j DROP

Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.

Experience the World’s Most Advanced Cybersecurity Platform

Experience the World’s Most Advanced Cybersecurity Platform

See how our intelligent, autonomous cybersecurity platform can protect your organization now and into the future.

Try SentinelOne