cbcvebase.
CVE-2024-51378
published 2024-10-29

CVE-2024-51378: getresetstatus in dns/views.py and ftp/views.py in CyberPanel (aka Cyber Panel) before 1c0c6cb allows remote attackers to bypass authentication and execute…

PriorityP199critical9.8CVSS 3.1
AVNACLPRNUINSUCHIHAH
KEVITWEXPLOITRansomwareInitial access
CISA Known Exploited Vulnerabilitydue 2024-12-25
Exploited in the wild
EPSS
94.88%
99.9th percentile
getresetstatus in dns/views.py and ftp/views.py in CyberPanel (aka Cyber Panel) before 1c0c6cb allows remote attackers to bypass authentication and execute arbitrary commands via /dns/getresetstatus or /ftp/getresetstatus by bypassing secMiddleware (which is only for a POST request) and using shell metacharacters in the statusfile property, as exploited in the wild in October 2024 by PSAUX. Versions through 2.3.6 and (unpatched) 2.3.7 are affected.

Affected

1 ranges
VendorProductVersion rangeFixed in
cyberpanelcyberpanel< 2.3.82.3.8

Detection & IOCsextracted from sources · hover to see the quote

url/ftp/getresetstatus
url/dns/getresetstatus
commandOPTIONS /ftp/getresetstatus HTTP/1.1 with body {"statusfile": "; <cmd>; #"}
snort
alert http any any -> $HOME_NET any (msg:"ET WEB_SPECIFIC_APPS CyberPanel getresetstatus statusfile Parameter Command Injection Attempt (CVE-2024-51378)"; flow:established,to_server; http.uri; pcre:"/^\x2f(?:dns|ftp)/"; content:"/getresetstatus"; fast_pattern; endswith; http.request_body; content:"|22|statusfile|22 3a|"; pcre:"/^[^\x26]*?(?:(?:\x3b|%3[Bb])|(?:\x0a|%0[Aa])|(?:\x60|%60)|(?:\x7c|%7[Cc])|(?:\x24|%24))+/R"; reference:url,attacke.rs/posts/cyberpanel-command-injection-vulnerability/; reference:cve,2024-51378; classtype:attempted-admin; sid:2059721; rev:1; metadata:affected_product CyberPanel, attack_target Web_Server, tls_state TLSDecrypt, created_at 2025_01_28, cve CVE_2024_51378, deployment Perimeter, deployment Internal, performance_impact Low, confidence High, signature_severity Major, tag Exploit, tag CISA_KEV, updated_at 2025_01_28, mitre_tactic_id TA0001, mitre_tactic_name Initial_Access, mitre_technique_id T1190, mitre_technique_name Exploit_Public_Facing_Application; target:dest_ip;)
yara
regex: uid=[0-9]+.*gid=[0-9]+.* AND requestStatus":
  • Exploit bypasses secMiddleware (which only validates POST requests) by sending an OPTIONS HTTP request to /ftp/getresetstatus or /dns/getresetstatus with shell metacharacters in the 'statusfile' JSON body parameter.
  • Detect OPTIONS method requests to URIs ending in /getresetstatus under /dns/ or /ftp/ paths — this is the auth-bypass vector; POST to these endpoints is blocked by middleware but OPTIONS is not.
  • Inspect HTTP request body for the 'statusfile' key containing shell metacharacters: semicolon (;/%3B), newline (\n/%0A), backtick (`/%60), pipe (|/%7C), or dollar sign ($/%24).
  • Attacker first performs a GET / to harvest the csrftoken cookie, then replays it in the X-CSRFToken header of the OPTIONS exploit request. Correlate a GET / followed immediately by an OPTIONS to /ftp/getresetstatus or /dns/getresetstatus from the same source IP.
  • Successful exploitation returns a JSON response containing the 'requestStatus' key with command output (e.g., uid=/gid= strings). Alert on 200 responses to these endpoints containing 'requestStatus' in the body.
  • Threat actor PSAUX ransomware group exploited this vulnerability at scale against over 22,000 CyberPanel instances in October 2024. Prioritize detection on internet-facing CyberPanel hosts (Shodan: html:"CyberPanel").
  • ·Versions through 2.3.6 and the unpatched 2.3.7 release are affected. The fix is present starting from commit 1c0c6cb. Verify the installed commit hash, not just the version number, as 2.3.7 shipped both patched and unpatched builds.
  • ·The Snort/ET rule (sid:2059721) requires TLS decryption (tls_state TLSDecrypt) to fire on HTTPS-protected CyberPanel instances; ensure your sensor is positioned to inspect decrypted traffic.

CVSS provenance

nvdv3.19.8CRITICALCVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
vulncheck10.0CRITICAL
cisa9.8CRITICAL
CVEs like this are exactly what “Exploited This Week” covers.

Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.