CVE-2024-51378 is a critical command injection vulnerability in CyberPanel versions 2.3.6 and 2.3.7. This flaw allows unauthenticated remote attackers to execute arbitrary commands on target systems with root privileges. The vulnerability is already being actively exploited by malicious actors, including ransomware groups, to compromise servers, deploy malware, and encrypt files. Over 227,000 potentially exposed instances have been identified online, significantly increasing the attack surface and the urgency for remediation.
| Product | CyberPanel |
| Date | 2024-12-05 16:22:23 |
| Information |
|
Technical Summary
Vulnerability Details:
CVSS Score: 10.0 (Critical)
Affected Versions: CyberPanel 2.3.6 and 2.3.7
Exploit Vector: Specially crafted HTTP OPTIONS requests to the /dns/getresetstatus and /ftp/getresetstatus endpoints.
Root Cause: Lack of input validation on the status file parameter within the dns/views.py and ftp/views.py scripts.
Impact: Remote Code Execution (RCE) by unauthenticated users, allowing full server control, unauthorized access to domains, data breaches, and potential deployment of ransomware or other malware.
Exploitation Steps:
- Perform an initial GET request to obtain the CSRF token.
- Construct a malicious HTTP OPTIONS request containing a specially crafted payload in the status file parameter.
- Inject commands using a semicolon (;) to execute arbitrary shell commands on the server.
- Send the payload to the vulnerable /dns/getresetstatus or /ftp/getresetstatus endpoints.
Recommendations
Apply patches:
- Update CyberPanel to the latest available version, which includes fixes for input validation and improved endpoint authentication.
Monitor logs:
- Regularly check system logs for suspicious commands targeting /api/getresetstatus/, /dns/getresetstatus, or /ftp/getresetstatus.
- Restrict access to CyberPanel instances from untrusted networks using firewalls or VPNs.
Temporary mitigations:
- Disable or restrict OPTIONS requests at the web server level until patches are applied.
- Remove or secure access to the vulnerable /dns/getresetstatus and /ftp/getresetstatus endpoints.
[Callforaction-THREAT-Footer]
