CVE-2024-51567
published 2024-10-29CVE-2024-51567: upgrademysqlstatus in databases/views.py in CyberPanel (aka Cyber Panel) before 5b08cd6 allows remote attackers to bypass authentication and execute arbitrary…
PriorityP1100critical9.8CVSS 3.1
AVNACLPRNUINSUCHIHAH
KEVITWEXPLOITRansomwareInitial access
CISA Known Exploited Vulnerabilitydue 2024-11-28
Exploited in the wild
EPSS
86.72%
99.7th percentile
upgrademysqlstatus in databases/views.py in CyberPanel (aka Cyber Panel) before 5b08cd6 allows remote attackers to bypass authentication and execute arbitrary commands via /dataBases/upgrademysqlstatus by bypassing secMiddleware (which is only for a POST request) and using shell metacharacters in the statusfile property, as exploited in the wild in October 2024 by PSAUX. Versions through 2.3.6 and (unpatched) 2.3.7 are affected.
Affected
1 ranges
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| cyberpanel | cyberpanel | < 2.3.8 | 2.3.8 |
Detection & IOCsextracted from sources · hover to see the quote
commandPUT /dataBases/upgrademysqlstatus HTTP/1.1 ... {"statusfile":"/dev/null; id; #","csrftoken":"{{csrftoken}}"}
pathdatabases/views.py
snort
alert http any any -> $HOME_NET any (msg:"ET WEB_SPECIFIC_APPS Cyberpanel upgrademysqlstatus Command Injection Attempt (CVE-2024-51567)"; flow:established,to_server; http.uri; bsize:29; content:"/dataBases/upgrademysqlstatus"; fast_pattern; http.request_body; content:"|22|statusfile|22 3a 22|"; pcre:"/^[^\x26]*?(?:(?:\x3b|%3[Bb])|(?:\x0a|%0[Aa])|(?:\x60|%60)|(?:\x7c|%7[Cc])|(?:\x24|%24))+/R"; reference:cve,2024-51567; reference:url,dreyand.rs/code/review/2024/10/27/what-are-my-options-cyberpanel-v236-pre-auth-rce; classtype:attempted-admin; sid:2057154; rev:1; metadata:affected_product CyberPanel, attack_target Web_Server, tls_state TLSDecrypt, created_at 2024_10_30, cve CVE_2024_51567, deployment Perimeter, deployment Internal, deployment SSLDecrypt, performance_impact Low, confidence High, signature_severity Major, tag Exploit, tag CISA_KEV, updated_at 2024_10_30, mitre_tactic_id TA0001, mitre_tactic_name Initial_Access, mitre_technique_id T1190, mitre_technique_name Exploit_Public_Facing_Application; target:dest_ip;)
- →The exploit bypasses secMiddleware by using a non-POST HTTP method (e.g., PUT/GET) against /dataBases/upgrademysqlstatus — detect any non-POST request to this endpoint. ↗
- →Look for shell metacharacters (;, |, `, $, newline / their URL-encoded equivalents %3B, %7C, %60, %24, %0A) in the `statusfile` JSON body parameter of requests to /dataBases/upgrademysqlstatus.
- →Match HTTP response body for both 'uid=' (command output) and 'error_message'/'requestStatus' to confirm successful exploitation.
- →Shodan query 'html:"CyberPanel"' can be used to identify exposed CyberPanel instances for proactive scanning.
- →The Snort/ET rule matches on exact URI byte size of 29 for /dataBases/upgrademysqlstatus combined with the 'statusfile' key in the request body — use both conditions together to reduce false positives.
- →MITRE ATT&CK mapping: TA0001 Initial Access / T1190 Exploit Public-Facing Application — correlate with web server logs for unauthenticated access to the upgrademysqlstatus endpoint.
- ·The secMiddleware authentication bypass only works for non-POST HTTP methods; the vulnerable endpoint /dataBases/upgrademysqlstatus is unprotected for PUT, GET, etc. Ensure WAF/middleware rules enforce authentication on ALL HTTP methods, not just POST. ↗
- ·Version 2.3.7 shipped without the patch and remains vulnerable; the fix is tied to commit 5b08cd6, not a version number alone — verify patch by commit hash rather than version string. ↗
- ·The ET Snort rule (sid:2057154) requires TLS decryption (tls_state TLSDecrypt / deployment SSLDecrypt) to inspect encrypted traffic — it will miss attacks over HTTPS without SSL inspection in place.
CVSS provenance
nvdv3.19.8CRITICALCVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
vulncheck10.0CRITICAL
cisa9.8CRITICAL
CVEs like this are exactly what “Exploited This Week” covers.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
CISA
CyberPanel Incorrect Default Permissions Vulnerability
cisa·2024-11-07·CVSS 9.8
CVE-2024-51567 [CRITICAL] CWE-276 CyberPanel Incorrect Default Permissions Vulnerability
Vulnerability: CyberPanel Incorrect Default Permissions Vulnerability
Affected: CyberPersons CyberPanel
CyberPanel contains an incorrect default permissions vulnerability that allows a remote, unauthenticated attacker to execute commands as root.
Required Action: Apply mitigations per vendor instructions or discontinue use of the product if mitigations are unavailable.
Notes: https://cyberpanel.net/blog/detials-and-fix-of-recent-security-issue-and-patch-of-cyberpanel ; https://nvd.nist.gov/vuln/detail/CVE-2024-51567
Remediation Due Date: 2024-11-28
GHSA
GHSA-w6g2-qqv5-83qj: upgrademysqlstatus in databases/views
ghsa_unreviewed·2024-10-30
CVE-2024-51567 [CRITICAL] CWE-276 GHSA-w6g2-qqv5-83qj: upgrademysqlstatus in databases/views
upgrademysqlstatus in databases/views.py in CyberPanel (aka Cyber Panel) before 5b08cd6 allows remote attackers to bypass authentication and execute arbitrary commands via /dataBases/upgrademysqlstatus by bypassing secMiddleware (which is only for a POST request) and using shell metacharacters in the statusfile property, as exploited in the wild in October 2024 by PSAUX. Versions through 2.3.6 and (unpatched) 2.3.7 are affected.
VulnCheck
CyberPanel Incorrect Default Permissions Vulnerability
vulncheck·2024·CVSS 10.0
CVE-2024-51567 [CRITICAL] CWE-276 CyberPanel Incorrect Default Permissions Vulnerability
CyberPanel Incorrect Default Permissions Vulnerability
CyberPanel contains an incorrect default permissions vulnerability that allows a remote, unauthenticated attacker to execute commands as root.
Affected: CyberPersons CyberPanel
Required Action: Apply mitigations per vendor instructions or discontinue use of the product if mitigations are unavailable.
Known Ransomware Campaign Use: Known
Exploitation References: https://gist.github.com/gboddin/d78823245b518edd54bfc2301c5f8882; https://nvd.nist.gov/vuln/detail/CVE-2024-51567; https://www.bleepingcomputer.com/news/security/massive-psaux-ransomware-attack-targets-22-000-cyberpanel-instances/; https://www.cve.org/CVERecord?id=CVE-2024-51567; https://dashboard.shadowserver.org/statistics/honeypot/vulnerability/map/?day=2024-11-01&host_t
Suricata
ET WEB_SPECIFIC_APPS Cyberpanel upgrademysqlstatus Command Injection Attempt (CVE-2024-51567)
suricata·2024-10-30·CVSS 10.0
CVE-2024-51567 [CRITICAL] ET WEB_SPECIFIC_APPS Cyberpanel upgrademysqlstatus Command Injection Attempt (CVE-2024-51567)
ET WEB_SPECIFIC_APPS Cyberpanel upgrademysqlstatus Command Injection Attempt (CVE-2024-51567)
Rule: alert http any any -> $HOME_NET any (msg:"ET WEB_SPECIFIC_APPS Cyberpanel upgrademysqlstatus Command Injection Attempt (CVE-2024-51567)"; flow:established,to_server; http.uri; bsize:29; content:"/dataBases/upgrademysqlstatus"; fast_pattern; http.request_body; content:"|22|statusfile|22 3a 22|"; pcre:"/^[^\x26]*?(?:(?:\x3b|%3[Bb])|(?:\x0a|%0[Aa])|(?:\x60|%60)|(?:\x7c|%7[Cc])|(?:\x24|%24))+/R"; reference:cve,2024-51567; reference:url,dreyand.rs/code/review/2024/10/27/what-are-my-options-cyberpanel-v236-pre-auth-rce; classtype:attempted-admin; sid:2057154; rev:1; metadata:affected_product CyberPanel, attack_target Web_Server, tls_state TLSDecrypt, created_at 2024_10_30, cve CVE_2024_51567, dep
Metasploit
CyberPanel Multi CVE Pre-auth RCE
metasploit·CVSS 9.8
CVE-2024-51567 [CRITICAL] CyberPanel Multi CVE Pre-auth RCE
CyberPanel Multi CVE Pre-auth RCE
This module exploits three separate unauthenticated Remote Code Execution vulnerabilities in CyberPanel: - CVE-2024-51567: Command injection vulnerability in the "upgrademysqlstatus" endpoint. - CVE-2024-51568: Command Injection via the "completePath" parameter in the "outputExecutioner" sink. - CVE-2024-51378: Unauthenticated RCE in "/ftp/getresetstatus" and "/dns/getresetstatus". These vulnerabilities were exploited in ransomware campaigns affecting over 22,000 CyberPanel instances, with the PSAUX ransomware being the primary actor in these attacks.
Nuclei
CyberPanel v2.3.6 Pre-Auth Remote Code Execution
nuclei·CVSS 9.8
CVE-2024-51567 [CRITICAL] CyberPanel v2.3.6 Pre-Auth Remote Code Execution
CyberPanel v2.3.6 Pre-Auth Remote Code Execution
upgrademysqlstatus in databases/views.py in CyberPanel (aka Cyber Panel) before 5b08cd6 allows remote attackers to bypass authentication and execute arbitrary commands via /dataBases/upgrademysqlstatus by bypassing secMiddleware (which is only for a POST request) and using shell metacharacters in the statusfile property, as exploited in the wild in October 2024 by PSAUX. Versions through 2.3.6 and (unpatched) 2.3.7 are affected.
Template:
id: CVE-2024-51567
info:
name: CyberPanel v2.3.6 Pre-Auth Remote Code Execution
author: DhiyaneshDK
severity: critical
description: |
upgrademysqlstatus in databases/views.py in CyberPanel (aka Cyber Panel) before 5b08cd6 allows remote attackers to bypass authentication and execute arbitrary commands vi
Greynoiseio
The Noise in the Silence: Unmasking CISA's Hidden KEV Ransomware Updates
blogs_greynoiseio·2026-02-02
The Noise in the Silence: Unmasking CISA's Hidden KEV Ransomware Updates
CVE Disclosure Early Warning Get an early warning when traffic spikes indicate a high likelihood of new disclosures
Compromised Asset Detection Find out immediately if an asset communicates with a malicious IP address
Vulnerability Prioritization Get real-time insight into active exploitation trends to better understand risk and severity
SOC Efficiency Filter out noisy, low priority and false-positive alerts from mass internet scanners
Incident Investigation Add context to incidents to speed the determinations of scope and timelines
Threat Hunting Quickly identify anomalous behavior and enrich your threat hunting campaigns
Why GreyNoise
CVE Disclosure Early Warning Get an early warning when traffic spikes indicate a high likelihood of new disclosures
Compromised Asset Detection Fin
Trendmicro
Earth Lamia Develops Custom Arsenal to Target Multiple Industries
blogs_trendmicro·2025-05-27
Earth Lamia Develops Custom Arsenal to Target Multiple Industries
APT & Targeted Attacks
# Earth Lamia Develops Custom Arsenal to Target Multiple Industries
Trend™ Research has been tracking an active APT threat actor named Earth Lamia, targeting multiple industries in Brazil, India and Southeast Asia countries at least since 2023. The threat actor primarily exploits vulnerabilities in web applications to gain access to targeted organizations.
By: Joseph C Chen
2025/05/27
Read time: ( words)
Save to Folio
Summary
- Trend Research has identified Earth Lamia as an APT threat actor that exploits vulnerabilities in web applications to gain access to organizations, using various techniques for data exfiltration.
- Earth Lamia develops and customizes hacking tools to evade detection, such as PULSEPACK and BypassBoss.
- Earth Lamia has primarily targeted
https://cwe.mitre.org/data/definitions/420.htmlhttps://cwe.mitre.org/data/definitions/78.htmlhttps://cyberpanel.net/KnowledgeBase/home/change-logs/https://cyberpanel.net/blog/detials-and-fix-of-recent-security-issue-and-patch-of-cyberpanelhttps://dreyand.rs/code/review/2024/10/27/what-are-my-options-cyberpanel-v236-pre-auth-rcehttps://github.com/usmannasir/cyberpanel/commit/5b08cd6d53f4dbc2107ad9f555122ce8b0996515https://www.bleepingcomputer.com/news/security/massive-psaux-ransomware-attack-targets-22-000-cyberpanel-instances/https://www.cisa.gov/known-exploited-vulnerabilities-catalog?field_cve=CVE-2024-51567
2024-10-29
Published
2024-11-07
Added to CISA KEV
Exploited in the wild