CVE-2024-51378
CVE-2024-51378 is a critical-severity vulnerability in Cyberpanel with a CVSS 3.x base score of 10.0. It is listed in CISA's Known Exploited Vulnerabilities (KEV) catalog, confirming it has been exploited in the wild (added 2024-12-04). The underlying weakness is classified as CWE-78.
Key facts
- Severity: Critical (CVSS 3.x base score 10.0)
- EPSS exploit prediction: 95% (100th percentile)
- Actively exploited: Yes — listed in CISA KEV (added 2024-12-04)
- EU (EUVD) id: EUVD-2024-45807
- EU exploitation: Flagged exploited in the ENISA EU Vulnerability Database (since 2024-12-04)
- Weakness: CWE-78
- Affected product: Cyberpanel
- Published:
- Last modified:
Description
getresetstatus in dns/views.py and ftp/views.py in CyberPanel (aka Cyber Panel) before 1c0c6cb allows remote attackers to bypass authentication and execute arbitrary commands via /dns/getresetstatus or /ftp/getresetstatus by bypassing secMiddleware (which is only for a POST request) and using shell metacharacters in the statusfile property, as exploited in the wild in October 2024 by PSAUX. Versions through 2.3.6 and (unpatched) 2.3.7 are affected.
CVE-2024-51378: CyberPanel getresetstatus Unauthenticated Command Injection
AI-generated analysis based on the vulnerability data on this page.
| Attribute | Value |
|---|---|
| CVE ID | CVE-2024-51378 |
| CWE | CWE-78 (OS Command Injection) |
| CVSS 3.1 | 10.0 (CRITICAL) — AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H |
| EPSS | 0.94878 (99.85th percentile) |
| KEV | Yes (CISA, 2024-12-04; EU exploited, 2024-12-04) |
| Vendor | CyberPanel |
| Affected | ≤ 2.3.6, unpatched 2.3.7 |
| Patched | Commit 1c0c6cb and later |
Summary
CyberPanel versions through 2.3.6 and unpatched 2.3.7 contain an unauthenticated OS command injection vulnerability in the getresetstatus endpoints (/dns/getresetstatus and /ftp/getresetstatus). The secMiddleware authentication layer is only enforced on POST requests, allowing GET requests to reach the backend without authentication. The statusfile parameter is passed directly to a shell command without sanitization, enabling remote attackers to inject arbitrary commands via shell metacharacters. This vulnerability has been actively exploited in the wild by the PSAUX ransomware group.
Background
CyberPanel is a web hosting control panel built on OpenLiteSpeed, widely used for managing websites, DNS, FTP, and databases through a web-based administrative interface. In October 2024, security researchers and the vendor confirmed that attackers were exploiting a flaw in the panel's getresetstatus functionality to compromise servers at scale.
Root Cause
The vulnerability maps to CWE-78: Improper Neutralization of Special Elements used in an OS Command.
The root cause has two components:
- Authentication bypass:
secMiddleware(CyberPanel's security middleware) only validates requests for the POST method. Thegetresetstatusendpoints accept GET requests, which bypass the middleware entirely. - Command injection: The
statusfileparameter from the incoming request is concatenated directly into a shell command string without input validation, escaping, or parameterization. Attackers can inject shell metacharacters (e.g., semicolons, pipes, backticks, command substitution) to execute arbitrary commands with the privileges of the web server process.
Impact
With a CVSS 3.1 score of 10.0 (CRITICAL), this vulnerability presents maximum severity:
- Attack Vector: Network — exploitable remotely over the internet.
- Attack Complexity: Low — no special conditions or prerequisites.
- Privileges Required: None — fully unauthenticated.
- User Interaction: None — can be exploited without any user action.
- Scope: Changed — the vulnerable component impacts resources beyond its own security scope.
- Confidentiality / Integrity / Availability: All HIGH.
Successful exploitation allows an unauthenticated attacker to achieve full remote code execution (RCE) on the underlying server, leading to complete system compromise, data exfiltration, lateral movement, and ransomware deployment.
Exploitation Walkthrough
The attack vector is conceptually simple and does not require authentication:
- An attacker identifies an exposed CyberPanel instance.
- They send a GET request to
/dns/getresetstatusor/ftp/getresetstatus. - The
statusfileparameter is populated with a payload containing shell metacharacters (e.g., using backticks or command substitution to append a malicious command). - Because
secMiddlewaredoes not inspect GET requests, the request reaches the backend unauthenticated. - The backend constructs a shell command string that includes the attacker-controlled
statusfilevalue and executes it. - The injected command runs with the privileges of the web server or application user, enabling further compromise.
(This description is provided for defensive and detection purposes only. No exploit code or step-by-step weaponization instructions are included. The PSAUX ransomware group has already demonstrated this vulnerability's severe real-world impact in mass attacks.)
Affected and Patched Versions
| Status | Versions |
|---|---|
| Affected | CyberPanel ≤ 2.3.6 and unpatched 2.3.7 |
| Patched | Commit 1c0c6cbcf71abe573da0b5fddfb9603e7477f683 and subsequent releases |
The vendor published a dedicated security blog and change-log entry detailing the issue and remediation.
Remediation
- Upgrade immediately to CyberPanel 2.3.8 or the latest available version that includes commit
1c0c6cb. - Apply the patch manually from the vendor's GitHub if upgrading is not immediately feasible.
- Restrict access to the CyberPanel administrative interface via IP allowlisting, VPN, or network segmentation.
- Deploy WAF rules to block requests to
/dns/getresetstatusand/ftp/getresetstatuscontaining shell metacharacters in thestatusfileparameter. - Audit existing server configurations for unauthorized users, cron jobs, or web shells that may have been planted during exploitation.
Detection
- Monitor HTTP access logs for GET requests to
/dns/getresetstatusor/ftp/getresetstatuswith unusualstatusfilevalues. - Alert on shell metacharacters in URL parameters:
;,|,&,`,$(...),||,&&. - Monitor process-spawn events initiated by the web server or application user.
- Review system integrity for unauthorized file modifications, new cron entries, or unexpected outbound connections.
- Cross-reference host indicators with CISA KEV entries and PSAUX ransomware IOCs.
Assessment
This vulnerability carries an EPSS score of 0.94878 (99.85th percentile), indicating an exceptionally high probability of active exploitation. It is formally listed in:
- The CISA Known Exploited Vulnerabilities (KEV) Catalog (added 2024-12-04)
- The EU Exploited Vulnerabilities Database (EUVD-2024-45807, added 2024-12-04)
The PSAUX ransomware campaign that targeted approximately 22,000 exposed CyberPanel instances in October 2024 underscores the real-world severity and the urgency of patching.
Key Lessons
- Authentication middleware must be uniformly enforced across all HTTP methods — applying checks only to POST while leaving GET unprotected is a critical design flaw.
- Never pass user-controlled input directly to shell commands — use parameterized APIs, strict allowlists, or robust escaping. Where shell execution is unavoidable, validate against a known-safe pattern.
References
- https://cyberpanel.net/blog/detials-and-fix-of-recent-security-issue-and-patch-of-cyberpanel
- https://github.com/usmannasir/cyberpanel/commit/1c0c6cbcf71abe573da0b5fddfb9603e7477f683
- https://refr4g.github.io/posts/cyberpanel-command-injection-vulnerability/
- https://www.bleepingcomputer.com/news/security/massive-psaux-ransomware-attack-targets-22-000-cyberpanel-instances/
- https://www.cisa.gov/known-exploited-vulnerabilities-catalog?field_cve=CVE-2024-51378
- https://cwe.mitre.org/data/definitions/78.html
- https://cwe.mitre.org/data/definitions/420.html
- https://cyberpanel.net/KnowledgeBase/home/change-logs/
Frequently asked questions
- What is CVE-2024-51378?
- getresetstatus in dns/views.py and ftp/views.py in CyberPanel (aka Cyber Panel) before 1c0c6cb allows remote attackers to bypass authentication and execute arbitrary commands via /dns/getresetstatus or /ftp/getresetstatus by bypassing secMiddleware (which is only for a POST request) and using shell metacharacters in the statusfile property, as exploited in the wild in October 2024 by PSAUX. Versions through 2.3.6 and (unpatched) 2.3.7 are affected.
- How severe is CVE-2024-51378?
- CVE-2024-51378 has a CVSS 3.x base score of 10.0, rated critical severity. It is exploitable over network with low attack complexity, requires no privileges and no user interaction. Impact on confidentiality is high, integrity high, and availability high.
- Is CVE-2024-51378 being actively exploited?
- Yes. CVE-2024-51378 is on CISA's Known Exploited Vulnerabilities (KEV) catalog, added on 2024-12-04, which means active exploitation has been confirmed. It should be prioritised for remediation.
- What products are affected by CVE-2024-51378?
- CVE-2024-51378 affects Cyberpanel. See the affected-products list for the exact vulnerable versions.
- How do I fix CVE-2024-51378?
- Review the linked vendor and NVD advisories for patched versions and mitigations, then upgrade or apply the recommended workaround. Because this CVE is known to be actively exploited, treat remediation as urgent — CISA KEV typically sets a short remediation deadline.
- Does CVE-2024-51378 have an EU (EUVD) identifier?
- Yes. CVE-2024-51378 is tracked in the ENISA EU Vulnerability Database (EUVD) as EUVD-2024-45807. It is also flagged as exploited in the EUVD (since 2024-12-04).
- When was CVE-2024-51378 published?
- CVE-2024-51378 was published on 2024-10-29 and last updated on 2026-06-17.
References
- https://cwe.mitre.org/data/definitions/420.html
- https://cwe.mitre.org/data/definitions/78.html
- https://cyberpanel.net/KnowledgeBase/home/change-logs/
- https://cyberpanel.net/blog/detials-and-fix-of-recent-security-issue-and-patch-of-cyberpanel
- https://github.com/usmannasir/cyberpanel/commit/1c0c6cbcf71abe573da0b5fddfb9603e7477f683
- https://refr4g.github.io/posts/cyberpanel-command-injection-vulnerability/
- https://www.bleepingcomputer.com/news/security/massive-psaux-ransomware-attack-targets-22-000-cyberpanel-instances/
- https://www.cisa.gov/known-exploited-vulnerabilities-catalog?field_cve=CVE-2024-51378
Affected products (1)
- cpe:2.3:a:cyberpanel:cyberpanel:*:*:*:*:*:*:*:*
More vulnerabilities in Cyberpanel
- CVE-2024-51568 — Critical (CVSS 10.0): CyberPanel (aka Cyber Panel) before 2.3.5 allows Command Injection via completePath in the…
- CVE-2024-51567 — Critical (CVSS 10.0): upgrademysqlstatus in databases/views.py in CyberPanel (aka Cyber Panel) before 5b08cd6 allows remote attackers to…
- CVE-2026-41473 — Critical (CVSS 9.1): CyberPanel versions prior to 2.4.4 contain an authentication bypass vulnerability in the AI Scanner worker API…
- CVE-2024-53376 — High (CVSS 8.8): CyberPanel before 2.3.8 allows remote authenticated users to execute arbitrary commands via shell metacharacters in the…
- CVE-2019-13056 — High (CVSS 8.8): An issue was discovered in CyberPanel through 1.8.4. On the user edit page, an attacker can edit the administrator's…
- CVE-2026-41472 — Medium (CVSS 6.1): CyberPanel versions prior to 2.4.4 contain a stored cross-site scripting vulnerability in the AI Scanner dashboard…
All CVEs affecting Cyberpanel →
Other CWE-78 (OS Command Injection) vulnerabilities
- CVE-2026-56004 — Critical (CVSS 10.0): A shellcode injection in the mercurial handler of the obs tar_scm source service before version 0.12.4 could be used by…
- CVE-2026-56415 — Critical (CVSS 10.0): Storage Concentrator (SC & SCVM) contains a command injection vulnerability within the debug.pl script that is…
- CVE-2026-56413 — Critical (CVSS 10.0): Storage Concentrator (SC & SCVM) contains a command injection vulnerability in the ms_service.pl service, which listens…
- CVE-2026-49869 — Critical (CVSS 10.0): Kestra is an open-source, event-driven orchestration platform. Prior to 1.0.45 and 1.3.21, AuthenticationFilter in…
- CVE-2026-49261 — Critical (CVSS 10.0): MariaDB server is a community developed fork of MySQL server. Versions 10.6.1 through 10.6.26, 10.11.1 through…
- CVE-2026-10520 — Critical (CVSS 10.0): An OS Command Injection vulnerability in Ivanti Sentry before the R10.5.2, R10.6.2 and R10.7.1 versions allows a…