cbcvebase.
CVE-2024-51568
published 2024-10-29

CVE-2024-51568: CyberPanel (aka Cyber Panel) before 2.3.5 allows Command Injection via completePath in the ProcessUtilities.outputExecutioner() sink. There is…

PriorityP195critical9.8CVSS 3.1
AVNACLPRNUINSUCHIHAH
ITWEXPLOITVulnCheck KEVRansomwareInitial access
Exploited in the wild
EPSS
45.68%
98.6th percentile
CyberPanel (aka Cyber Panel) before 2.3.5 allows Command Injection via completePath in the ProcessUtilities.outputExecutioner() sink. There is /filemanager/upload (aka File Manager upload) unauthenticated remote code execution via shell metacharacters.

Affected

1 ranges
VendorProductVersion rangeFixed in
cyberpanelcyberpanel< 2.3.52.3.5

Detection & IOCsextracted from sources · hover to see the quote

url/filemanager/upload
command; curl -X POST http://{{interactsh-url}}
snort
alert http1 any any -> $HOME_NET any (msg:"ET WEB_SPECIFIC_APPS Cyberpanel filemanager Command Injection Attempt (CVE-2024-51568)"; flow:established,to_server; http.method; content:"POST"; http.uri; bsize:19; content:"/filemanager/upload"; http.cookie; content:"csrftoken|3d|"; http.header; content:"X-Csrftoken|3a 20|"; http.request_body; content:"Content-Disposition|3a 20|form-data|3b 20|name|3d 22|domainName|22|"; content:"Content-Disposition|3a 20|form-data|3b 20|name|3d 22|completePath|22|"; distance:0; fast_pattern; pcre:"/^[^\x26]*?(?:(?:\x3b|%3[Bb])|(?:\x0a|%0[Aa])|(?:\x60|%60)|(?:\x7c|%7[Cc])|(?:\x24|%24))+/R"; reference:cve,2024-51568; reference:url,dreyand.rs/code/review/2024/10/27/what-are-my-options-cyberpanel-v236-pre-auth-rce; classtype:attempted-admin; sid:2057158; rev:1; metadata:affected_product CyberPanel, attack_target Web_Server, tls_state TLSDecrypt, created_at 2024_10_30, cve CVE_2024_51568, deployment Perimeter, deployment Internal, deployment SSLDecrypt, performance_impact Low, confidence High, signature_severity Major, tag Exploit, updated_at 2024_10_30, mitre_tactic_id TA0001, mitre_tactic_name Initial_Access, mitre_technique_id T1190, mitre_technique_name Exploit_Public_Facing_Application; target:dest_ip;)
  • Exploit targets POST /filemanager/upload with a multipart/form-data body containing both 'domainName' and 'completePath' fields; shell metacharacters (;, newline, backtick, pipe, $) injected into the completePath value trigger RCE.
  • Requests to /filemanager/upload will carry an X-CSRFToken header and csrftoken cookie even though the endpoint is unauthenticated; the CSRF token is extracted from the initial GET / response and replayed.
  • Successful exploitation returns HTTP 200 with a JSON body containing both 'status":' and 'error_message":' keys; use these response fields to confirm exploitation.
  • CVE-2024-51568 was actively exploited in ransomware campaigns (PSAUX ransomware) against over 22,000 CyberPanel instances; treat any exploitation attempt as high-severity incident.
  • The URI /filemanager/upload has a fixed byte-size of 19; use a bsize:19 constraint in network signatures to reduce false positives.
  • ·The Snort/Suricata rule (sid:2057158) requires TLS decryption to be effective against HTTPS-protected CyberPanel instances, as indicated by the tls_state:TLSDecrypt metadata.
  • ·The Nuclei template requires two sequential HTTP requests: a GET / to harvest the csrftoken cookie, then the malicious POST; single-request detection will miss the full attack chain.

CVSS provenance

nvdv3.19.8CRITICALCVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
vulncheck10.0CRITICAL
CVEs like this are exactly what “Exploited This Week” covers.

Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.