cbcvebase.
CVE-2024-51567
published 2024-10-29

CVE-2024-51567: upgrademysqlstatus in databases/views.py in CyberPanel (aka Cyber Panel) before 5b08cd6 allows remote attackers to bypass authentication and execute arbitrary…

PriorityP1100critical9.8CVSS 3.1
AVNACLPRNUINSUCHIHAH
KEVITWEXPLOITRansomwareInitial access
CISA Known Exploited Vulnerabilitydue 2024-11-28
Exploited in the wild
EPSS
86.72%
99.7th percentile
upgrademysqlstatus in databases/views.py in CyberPanel (aka Cyber Panel) before 5b08cd6 allows remote attackers to bypass authentication and execute arbitrary commands via /dataBases/upgrademysqlstatus by bypassing secMiddleware (which is only for a POST request) and using shell metacharacters in the statusfile property, as exploited in the wild in October 2024 by PSAUX. Versions through 2.3.6 and (unpatched) 2.3.7 are affected.

Affected

1 ranges
VendorProductVersion rangeFixed in
cyberpanelcyberpanel< 2.3.82.3.8

Detection & IOCsextracted from sources · hover to see the quote

url/dataBases/upgrademysqlstatus
commandPUT /dataBases/upgrademysqlstatus HTTP/1.1 ... {"statusfile":"/dev/null; id; #","csrftoken":"{{csrftoken}}"}
pathdatabases/views.py
snort
alert http any any -> $HOME_NET any (msg:"ET WEB_SPECIFIC_APPS Cyberpanel upgrademysqlstatus Command Injection Attempt (CVE-2024-51567)"; flow:established,to_server; http.uri; bsize:29; content:"/dataBases/upgrademysqlstatus"; fast_pattern; http.request_body; content:"|22|statusfile|22 3a 22|"; pcre:"/^[^\x26]*?(?:(?:\x3b|%3[Bb])|(?:\x0a|%0[Aa])|(?:\x60|%60)|(?:\x7c|%7[Cc])|(?:\x24|%24))+/R"; reference:cve,2024-51567; reference:url,dreyand.rs/code/review/2024/10/27/what-are-my-options-cyberpanel-v236-pre-auth-rce; classtype:attempted-admin; sid:2057154; rev:1; metadata:affected_product CyberPanel, attack_target Web_Server, tls_state TLSDecrypt, created_at 2024_10_30, cve CVE_2024_51567, deployment Perimeter, deployment Internal, deployment SSLDecrypt, performance_impact Low, confidence High, signature_severity Major, tag Exploit, tag CISA_KEV, updated_at 2024_10_30, mitre_tactic_id TA0001, mitre_tactic_name Initial_Access, mitre_technique_id T1190, mitre_technique_name Exploit_Public_Facing_Application; target:dest_ip;)
  • The exploit bypasses secMiddleware by using a non-POST HTTP method (e.g., PUT/GET) against /dataBases/upgrademysqlstatus — detect any non-POST request to this endpoint.
  • Look for shell metacharacters (;, |, `, $, newline / their URL-encoded equivalents %3B, %7C, %60, %24, %0A) in the `statusfile` JSON body parameter of requests to /dataBases/upgrademysqlstatus.
  • Match HTTP response body for both 'uid=' (command output) and 'error_message'/'requestStatus' to confirm successful exploitation.
  • Shodan query 'html:"CyberPanel"' can be used to identify exposed CyberPanel instances for proactive scanning.
  • The Snort/ET rule matches on exact URI byte size of 29 for /dataBases/upgrademysqlstatus combined with the 'statusfile' key in the request body — use both conditions together to reduce false positives.
  • MITRE ATT&CK mapping: TA0001 Initial Access / T1190 Exploit Public-Facing Application — correlate with web server logs for unauthenticated access to the upgrademysqlstatus endpoint.
  • ·The secMiddleware authentication bypass only works for non-POST HTTP methods; the vulnerable endpoint /dataBases/upgrademysqlstatus is unprotected for PUT, GET, etc. Ensure WAF/middleware rules enforce authentication on ALL HTTP methods, not just POST.
  • ·Version 2.3.7 shipped without the patch and remains vulnerable; the fix is tied to commit 5b08cd6, not a version number alone — verify patch by commit hash rather than version string.
  • ·The ET Snort rule (sid:2057154) requires TLS decryption (tls_state TLSDecrypt / deployment SSLDecrypt) to inspect encrypted traffic — it will miss attacks over HTTPS without SSL inspection in place.

CVSS provenance

nvdv3.19.8CRITICALCVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
vulncheck10.0CRITICAL
cisa9.8CRITICAL
CVEs like this are exactly what “Exploited This Week” covers.

Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.