CVE-2024-51378 Overview
CVE-2024-51378 is a critical authentication bypass and command injection vulnerability affecting CyberPanel, a popular web hosting control panel. The vulnerability exists in the getresetstatus function within dns/views.py and ftp/views.py, allowing remote attackers to bypass authentication mechanisms and execute arbitrary commands on affected systems. This vulnerability has been actively exploited in the wild, notably by the PSAUX ransomware group in October 2024, resulting in a massive attack campaign targeting approximately 22,000 CyberPanel instances.
Critical Impact
This vulnerability enables unauthenticated remote attackers to achieve complete system compromise through command injection. It has been actively exploited by ransomware operators and is listed in CISA's Known Exploited Vulnerabilities (KEV) catalog.
Affected Products
- CyberPanel versions through 2.3.6
- CyberPanel version 2.3.7 (unpatched)
- CyberPanel versions prior to commit 1c0c6cb
Discovery Timeline
- 2024-10-29 - CVE-2024-51378 published to NVD
- 2025-11-07 - Last updated in NVD database
Technical Details for CVE-2024-51378
Vulnerability Analysis
This vulnerability combines two distinct security weaknesses: an authentication bypass (CWE-420) and OS command injection (CWE-78). The authentication middleware (secMiddleware) in CyberPanel is designed to protect sensitive endpoints but contains a critical flaw—it only validates POST requests. Attackers can exploit this oversight by sending requests using alternative HTTP methods to the /dns/getresetstatus or /ftp/getresetstatus endpoints, effectively bypassing authentication entirely.
Once authentication is bypassed, the vulnerability allows injection of shell metacharacters through the statusfile property. The application fails to properly sanitize user-supplied input before passing it to system shell commands, enabling arbitrary command execution with the privileges of the CyberPanel service account.
Root Cause
The root cause of this vulnerability stems from two compounding security failures. First, the security middleware implementation only enforces authentication checks on POST requests, leaving other HTTP methods unprotected. Second, the getresetstatus function in both dns/views.py and ftp/views.py directly incorporates the statusfile parameter into shell command execution without proper input validation or sanitization. This combination allows attackers to reach the vulnerable code path without credentials and inject malicious commands through the unsanitized parameter.
Attack Vector
The attack exploits network-accessible endpoints with no authentication required and no user interaction necessary. An attacker can craft HTTP requests to either /dns/getresetstatus or /ftp/getresetstatus endpoints using a method other than POST to bypass the security middleware. By including shell metacharacters (such as semicolons, pipes, or backticks) in the statusfile property, the attacker can inject and execute arbitrary system commands. The PSAUX ransomware campaign demonstrated this attack at scale, leveraging the vulnerability to deploy ransomware across thousands of internet-exposed CyberPanel installations.
The vulnerability mechanism involves the following attack flow: the attacker sends a crafted request to the vulnerable endpoint, bypassing the middleware that only checks POST requests. The malicious statusfile parameter value containing shell metacharacters is then passed unsanitized to a shell command, resulting in arbitrary command execution on the host system.
Detection Methods for CVE-2024-51378
Indicators of Compromise
- Unusual HTTP requests to /dns/getresetstatus or /ftp/getresetstatus endpoints, particularly using non-POST methods
- Presence of shell metacharacters (;, |, $(), backticks) in request parameters targeting CyberPanel
- Unexpected process spawning from CyberPanel service accounts
- Signs of PSAUX ransomware activity including encrypted files and ransom notes
Detection Strategies
- Monitor web server access logs for requests to the affected endpoints with suspicious parameter values
- Implement intrusion detection rules to flag requests containing shell metacharacters in the statusfile parameter
- Deploy web application firewall (WAF) rules to block command injection patterns targeting CyberPanel endpoints
- Review system logs for unauthorized command execution originating from CyberPanel processes
Monitoring Recommendations
- Enable detailed logging for all CyberPanel HTTP requests and system command executions
- Set up alerts for authentication bypass attempts and anomalous access patterns to administrative endpoints
- Monitor for new user accounts, SSH keys, or persistence mechanisms that may indicate post-exploitation activity
- Track network connections from CyberPanel servers to identify potential command-and-control communications
How to Mitigate CVE-2024-51378
Immediate Actions Required
- Update CyberPanel immediately to a version containing commit 1c0c6cb or later
- If patching is not immediately possible, restrict network access to CyberPanel management interfaces
- Review system logs for evidence of exploitation and investigate any suspicious activity
- Consider taking affected CyberPanel instances offline until patched if they are internet-facing
Patch Information
CyberPanel has released a security patch addressing this vulnerability. The fix is available in GitHub commit 1c0c6cbcf71abe573da0b5fddfb9603e7477f683. Users should update to the latest version of CyberPanel that includes this fix. Additional details about the vulnerability and patch are available in the CyberPanel Security Patch Details blog post.
Workarounds
- Implement firewall rules to block external access to /dns/getresetstatus and /ftp/getresetstatus endpoints
- Deploy a reverse proxy or WAF with rules to block requests containing shell metacharacters in query parameters
- Restrict CyberPanel access to trusted IP addresses only using network-level access controls
- Consider disabling the affected DNS and FTP functionality if not required until a patch can be applied
# Example: Block access to vulnerable endpoints using iptables
# Restrict access to CyberPanel port (default 8090) to trusted IPs only
iptables -A INPUT -p tcp --dport 8090 -s TRUSTED_IP -j ACCEPT
iptables -A INPUT -p tcp --dport 8090 -j DROP
Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.
