CVE-2024-51568
published 2024-10-29CVE-2024-51568: CyberPanel (aka Cyber Panel) before 2.3.5 allows Command Injection via completePath in the ProcessUtilities.outputExecutioner() sink. There is…
PriorityP195critical9.8CVSS 3.1
AVNACLPRNUINSUCHIHAH
ITWEXPLOITVulnCheck KEVRansomwareInitial access
Exploited in the wild
EPSS
45.68%
98.6th percentile
CyberPanel (aka Cyber Panel) before 2.3.5 allows Command Injection via completePath in the ProcessUtilities.outputExecutioner() sink. There is /filemanager/upload (aka File Manager upload) unauthenticated remote code execution via shell metacharacters.
Affected
1 ranges
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| cyberpanel | cyberpanel | < 2.3.5 | 2.3.5 |
Detection & IOCsextracted from sources · hover to see the quote
snort
alert http1 any any -> $HOME_NET any (msg:"ET WEB_SPECIFIC_APPS Cyberpanel filemanager Command Injection Attempt (CVE-2024-51568)"; flow:established,to_server; http.method; content:"POST"; http.uri; bsize:19; content:"/filemanager/upload"; http.cookie; content:"csrftoken|3d|"; http.header; content:"X-Csrftoken|3a 20|"; http.request_body; content:"Content-Disposition|3a 20|form-data|3b 20|name|3d 22|domainName|22|"; content:"Content-Disposition|3a 20|form-data|3b 20|name|3d 22|completePath|22|"; distance:0; fast_pattern; pcre:"/^[^\x26]*?(?:(?:\x3b|%3[Bb])|(?:\x0a|%0[Aa])|(?:\x60|%60)|(?:\x7c|%7[Cc])|(?:\x24|%24))+/R"; reference:cve,2024-51568; reference:url,dreyand.rs/code/review/2024/10/27/what-are-my-options-cyberpanel-v236-pre-auth-rce; classtype:attempted-admin; sid:2057158; rev:1; metadata:affected_product CyberPanel, attack_target Web_Server, tls_state TLSDecrypt, created_at 2024_10_30, cve CVE_2024_51568, deployment Perimeter, deployment Internal, deployment SSLDecrypt, performance_impact Low, confidence High, signature_severity Major, tag Exploit, updated_at 2024_10_30, mitre_tactic_id TA0001, mitre_tactic_name Initial_Access, mitre_technique_id T1190, mitre_technique_name Exploit_Public_Facing_Application; target:dest_ip;)
- →Exploit targets POST /filemanager/upload with a multipart/form-data body containing both 'domainName' and 'completePath' fields; shell metacharacters (;, newline, backtick, pipe, $) injected into the completePath value trigger RCE.
- →Requests to /filemanager/upload will carry an X-CSRFToken header and csrftoken cookie even though the endpoint is unauthenticated; the CSRF token is extracted from the initial GET / response and replayed.
- →Successful exploitation returns HTTP 200 with a JSON body containing both 'status":' and 'error_message":' keys; use these response fields to confirm exploitation. ↗
- →CVE-2024-51568 was actively exploited in ransomware campaigns (PSAUX ransomware) against over 22,000 CyberPanel instances; treat any exploitation attempt as high-severity incident. ↗
- →The URI /filemanager/upload has a fixed byte-size of 19; use a bsize:19 constraint in network signatures to reduce false positives.
- ·The Snort/Suricata rule (sid:2057158) requires TLS decryption to be effective against HTTPS-protected CyberPanel instances, as indicated by the tls_state:TLSDecrypt metadata.
- ·The Nuclei template requires two sequential HTTP requests: a GET / to harvest the csrftoken cookie, then the malicious POST; single-request detection will miss the full attack chain.
CVSS provenance
nvdv3.19.8CRITICALCVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
vulncheck10.0CRITICAL
CVEs like this are exactly what “Exploited This Week” covers.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
GHSA
GHSA-q2hv-8prh-hr3r: CyberPanel (aka Cyber Panel) before 2
ghsa_unreviewed·2024-10-30
CVE-2024-51568 [CRITICAL] CWE-78 GHSA-q2hv-8prh-hr3r: CyberPanel (aka Cyber Panel) before 2
CyberPanel (aka Cyber Panel) before 2.3.5 allows Command Injection via completePath in the ProcessUtilities.outputExecutioner() sink. There is /filemanager/upload (aka File Manager upload) unauthenticated remote code execution via shell metacharacters.
VulnCheck
CyberPanel /filemanager/upload Remote Code Execution Vulnerability
vulncheck·2024·CVSS 10.0
CVE-2024-51568 [CRITICAL] CyberPanel /filemanager/upload Remote Code Execution Vulnerability
CyberPanel /filemanager/upload Remote Code Execution Vulnerability
CyberPanel (aka Cyber Panel) before 2.3.5 allows Command Injection via completePath in the ProcessUtilities.outputExecutioner() sink. There is /filemanager/upload (aka File Manager upload) unauthenticated remote code execution via shell metacharacters.
Affected: CyberPanel Web Hosting Panel CyberPanel
Required Action: Apply remediations or mitigations per vendor instructions or discontinue use of the product if remediation or mitigations are unavailable.
Known Ransomware Campaign Use: Known
Exploitation References: https://gist.github.com/gboddin/d78823245b518edd54bfc2301c5f8882; https://www.bleepingcomputer.com/news/security/massive-psaux-ransomware-attack-targets-22-000-cyberpanel-instances/; https://8813571.fs1.hubs
Suricata
ET WEB_SPECIFIC_APPS Cyberpanel filemanager Command Injection Attempt (CVE-2024-51568)
suricata·2024-10-30·CVSS 10.0
CVE-2024-51568 [CRITICAL] ET WEB_SPECIFIC_APPS Cyberpanel filemanager Command Injection Attempt (CVE-2024-51568)
ET WEB_SPECIFIC_APPS Cyberpanel filemanager Command Injection Attempt (CVE-2024-51568)
Rule: alert http1 any any -> $HOME_NET any (msg:"ET WEB_SPECIFIC_APPS Cyberpanel filemanager Command Injection Attempt (CVE-2024-51568)"; flow:established,to_server; http.method; content:"POST"; http.uri; bsize:19; content:"/filemanager/upload"; http.cookie; content:"csrftoken|3d|"; http.header; content:"X-Csrftoken|3a 20|"; http.request_body; content:"Content-Disposition|3a 20|form-data|3b 20|name|3d 22|domainName|22|"; content:"Content-Disposition|3a 20|form-data|3b 20|name|3d 22|completePath|22|"; distance:0; fast_pattern; pcre:"/^[^\x26]*?(?:(?:\x3b|%3[Bb])|(?:\x0a|%0[Aa])|(?:\x60|%60)|(?:\x7c|%7[Cc])|(?:\x24|%24))+/R"; reference:cve,2024-51568; reference:url,dreyand.rs/code/review/2024/10/27/what-a
Metasploit
CyberPanel Multi CVE Pre-auth RCE
metasploit·CVSS 9.8
CVE-2024-51567 [CRITICAL] CyberPanel Multi CVE Pre-auth RCE
CyberPanel Multi CVE Pre-auth RCE
This module exploits three separate unauthenticated Remote Code Execution vulnerabilities in CyberPanel: - CVE-2024-51567: Command injection vulnerability in the "upgrademysqlstatus" endpoint. - CVE-2024-51568: Command Injection via the "completePath" parameter in the "outputExecutioner" sink. - CVE-2024-51378: Unauthenticated RCE in "/ftp/getresetstatus" and "/dns/getresetstatus". These vulnerabilities were exploited in ransomware campaigns affecting over 22,000 CyberPanel instances, with the PSAUX ransomware being the primary actor in these attacks.
Nuclei
CyberPanel - Command Injection
nuclei·CVSS 9.8
CVE-2024-51568 [CRITICAL] CyberPanel - Command Injection
CyberPanel - Command Injection
CyberPanel (aka Cyber Panel) before 2.3.5 allows Command Injection via completePath in the ProcessUtilities.outputExecutioner() sink. There is /filemanager/upload (aka File Manager upload) unauthenticated remote code execution via shell metacharacters.
Template:
id: CVE-2024-51568
info:
name: CyberPanel - Command Injection
author: s4e-io
severity: critical
description: |
CyberPanel (aka Cyber Panel) before 2.3.5 allows Command Injection via completePath in the ProcessUtilities.outputExecutioner() sink. There is /filemanager/upload (aka File Manager upload) unauthenticated remote code execution via shell metacharacters.
impact: |
Attackers can exploit this vulnerability to compromise system security.
remediation: |
Apply security patches to address CVE-202
2024-10-29
Published
Exploited in the wild