CVE-2024-51567 Overview
CVE-2024-51567 is a critical authentication bypass and command injection vulnerability in CyberPanel (also known as Cyber Panel). The vulnerability exists in the upgrademysqlstatus function within databases/views.py, allowing remote attackers to bypass authentication and execute arbitrary commands via the /dataBases/upgrademysqlstatus endpoint. This is achieved by bypassing the secMiddleware security mechanism, which only protects POST requests, and injecting shell metacharacters in the statusfile property.
Critical Impact
This vulnerability has been actively exploited in the wild by the PSAUX ransomware group in October 2024, targeting approximately 22,000 CyberPanel instances. The vulnerability allows unauthenticated remote attackers to achieve full system compromise with arbitrary command execution capabilities.
Affected Products
- CyberPanel versions through 2.3.6
- CyberPanel version 2.3.7 (unpatched)
- All CyberPanel versions before commit 5b08cd6
Discovery Timeline
- 2024-10-29 - CVE-2024-51567 published to NVD
- 2025-11-07 - Last updated in NVD database
Technical Details for CVE-2024-51567
Vulnerability Analysis
The vulnerability combines two critical weaknesses: an authentication bypass (CWE-306) and command injection (CWE-78). The secMiddleware security layer in CyberPanel was designed to protect sensitive endpoints but only validates POST requests. Attackers can exploit this oversight by using alternative HTTP methods to access the /dataBases/upgrademysqlstatus endpoint without authentication.
Once the authentication is bypassed, the statusfile parameter is passed directly to system commands without proper sanitization. This allows attackers to inject arbitrary shell metacharacters, resulting in remote code execution with the privileges of the CyberPanel application. The combination of these two flaws creates a devastating pre-authentication remote code execution vulnerability.
Root Cause
The root cause stems from two fundamental security failures. First, the authentication middleware (secMiddleware) was improperly implemented to only intercept POST requests, leaving other HTTP methods unprotected. Second, the upgrademysqlstatus function fails to properly sanitize user-supplied input in the statusfile parameter before passing it to shell commands, enabling OS command injection attacks.
Attack Vector
The attack is network-based and requires no authentication or user interaction. An attacker can send a crafted HTTP request to the vulnerable endpoint, bypassing the security middleware by using a non-POST method. The malicious payload is then injected via the statusfile property, where shell metacharacters allow arbitrary command execution. This vulnerability has been weaponized by the PSAUX ransomware group to deploy ransomware across thousands of vulnerable CyberPanel installations.
The attack flow involves accessing the /dataBases/upgrademysqlstatus endpoint while evading the POST-only middleware check, then injecting shell commands through the statusfile parameter that get executed on the underlying system.
Detection Methods for CVE-2024-51567
Indicators of Compromise
- Unexpected HTTP requests to /dataBases/upgrademysqlstatus endpoint in web server logs
- Presence of shell metacharacters (;, |, $(), backticks) in request parameters to database endpoints
- Evidence of PSAUX ransomware artifacts or encrypted files on CyberPanel servers
- Unusual outbound network connections from CyberPanel servers to unknown IP addresses
Detection Strategies
- Monitor web access logs for requests to /dataBases/upgrademysqlstatus with suspicious parameters containing shell metacharacters
- Implement web application firewall (WAF) rules to detect and block command injection patterns in the statusfile parameter
- Deploy endpoint detection to identify anomalous process spawning from CyberPanel web application processes
- Review authentication logs for successful access to protected endpoints without valid session tokens
Monitoring Recommendations
- Enable verbose logging for the CyberPanel application and associated web server
- Configure alerts for requests to database management endpoints from external IP addresses
- Monitor system process trees for unexpected child processes spawned by web server or Python processes
- Implement file integrity monitoring on critical CyberPanel directories and configuration files
How to Mitigate CVE-2024-51567
Immediate Actions Required
- Immediately update CyberPanel to version 2.3.8 or later that includes the security fix (commit 5b08cd6d53f4dbc2107ad9f555122ce8b0996515)
- If immediate patching is not possible, restrict network access to CyberPanel management interfaces using firewall rules
- Review system logs for evidence of exploitation and conduct incident response if compromise indicators are found
- Consider taking affected CyberPanel instances offline until patching is complete given active exploitation
Patch Information
CyberPanel has released a security patch addressing this vulnerability. The fix is available in commit 5b08cd6d53f4dbc2107ad9f555122ce8b0996515 on the official GitHub repository. Users should update to the latest version immediately. Detailed patch information and upgrade instructions are available in the CyberPanel Security Advisory.
Workarounds
- Implement network segmentation to restrict access to CyberPanel management interfaces from trusted networks only
- Deploy a web application firewall (WAF) with rules to block requests containing shell metacharacters in URL parameters
- Disable or restrict access to the /dataBases/upgrademysqlstatus endpoint if MySQL upgrade functionality is not required
- Consider using reverse proxy authentication to add an additional layer of access control to the CyberPanel interface
# Example: Restrict CyberPanel access using iptables
# Allow only trusted management network
iptables -A INPUT -p tcp --dport 8090 -s 10.0.0.0/8 -j ACCEPT
iptables -A INPUT -p tcp --dport 8090 -j DROP
Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.
