CVE-2024-51378

CVE-2024-51378 is a critical-severity vulnerability in Cyberpanel with a CVSS 3.x base score of 10.0. It is listed in CISA's Known Exploited Vulnerabilities (KEV) catalog, confirming it has been exploited in the wild (added 2024-12-04). The underlying weakness is classified as CWE-78.

Key facts

Description

getresetstatus in dns/views.py and ftp/views.py in CyberPanel (aka Cyber Panel) before 1c0c6cb allows remote attackers to bypass authentication and execute arbitrary commands via /dns/getresetstatus or /ftp/getresetstatus by bypassing secMiddleware (which is only for a POST request) and using shell metacharacters in the statusfile property, as exploited in the wild in October 2024 by PSAUX. Versions through 2.3.6 and (unpatched) 2.3.7 are affected.

CVE-2024-51378: CyberPanel getresetstatus Unauthenticated Command Injection

AI-generated analysis based on the vulnerability data on this page.

Attribute Value
CVE ID CVE-2024-51378
CWE CWE-78 (OS Command Injection)
CVSS 3.1 10.0 (CRITICAL) — AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H
EPSS 0.94878 (99.85th percentile)
KEV Yes (CISA, 2024-12-04; EU exploited, 2024-12-04)
Vendor CyberPanel
Affected ≤ 2.3.6, unpatched 2.3.7
Patched Commit 1c0c6cb and later

Summary

CyberPanel versions through 2.3.6 and unpatched 2.3.7 contain an unauthenticated OS command injection vulnerability in the getresetstatus endpoints (/dns/getresetstatus and /ftp/getresetstatus). The secMiddleware authentication layer is only enforced on POST requests, allowing GET requests to reach the backend without authentication. The statusfile parameter is passed directly to a shell command without sanitization, enabling remote attackers to inject arbitrary commands via shell metacharacters. This vulnerability has been actively exploited in the wild by the PSAUX ransomware group.

Background

CyberPanel is a web hosting control panel built on OpenLiteSpeed, widely used for managing websites, DNS, FTP, and databases through a web-based administrative interface. In October 2024, security researchers and the vendor confirmed that attackers were exploiting a flaw in the panel's getresetstatus functionality to compromise servers at scale.

Root Cause

The vulnerability maps to CWE-78: Improper Neutralization of Special Elements used in an OS Command.

The root cause has two components:

  1. Authentication bypass: secMiddleware (CyberPanel's security middleware) only validates requests for the POST method. The getresetstatus endpoints accept GET requests, which bypass the middleware entirely.
  2. Command injection: The statusfile parameter from the incoming request is concatenated directly into a shell command string without input validation, escaping, or parameterization. Attackers can inject shell metacharacters (e.g., semicolons, pipes, backticks, command substitution) to execute arbitrary commands with the privileges of the web server process.

Impact

With a CVSS 3.1 score of 10.0 (CRITICAL), this vulnerability presents maximum severity:

  • Attack Vector: Network — exploitable remotely over the internet.
  • Attack Complexity: Low — no special conditions or prerequisites.
  • Privileges Required: None — fully unauthenticated.
  • User Interaction: None — can be exploited without any user action.
  • Scope: Changed — the vulnerable component impacts resources beyond its own security scope.
  • Confidentiality / Integrity / Availability: All HIGH.

Successful exploitation allows an unauthenticated attacker to achieve full remote code execution (RCE) on the underlying server, leading to complete system compromise, data exfiltration, lateral movement, and ransomware deployment.

Exploitation Walkthrough

The attack vector is conceptually simple and does not require authentication:

  1. An attacker identifies an exposed CyberPanel instance.
  2. They send a GET request to /dns/getresetstatus or /ftp/getresetstatus.
  3. The statusfile parameter is populated with a payload containing shell metacharacters (e.g., using backticks or command substitution to append a malicious command).
  4. Because secMiddleware does not inspect GET requests, the request reaches the backend unauthenticated.
  5. The backend constructs a shell command string that includes the attacker-controlled statusfile value and executes it.
  6. The injected command runs with the privileges of the web server or application user, enabling further compromise.

(This description is provided for defensive and detection purposes only. No exploit code or step-by-step weaponization instructions are included. The PSAUX ransomware group has already demonstrated this vulnerability's severe real-world impact in mass attacks.)

Affected and Patched Versions

Status Versions
Affected CyberPanel ≤ 2.3.6 and unpatched 2.3.7
Patched Commit 1c0c6cbcf71abe573da0b5fddfb9603e7477f683 and subsequent releases

The vendor published a dedicated security blog and change-log entry detailing the issue and remediation.

Remediation

  1. Upgrade immediately to CyberPanel 2.3.8 or the latest available version that includes commit 1c0c6cb.
  2. Apply the patch manually from the vendor's GitHub if upgrading is not immediately feasible.
  3. Restrict access to the CyberPanel administrative interface via IP allowlisting, VPN, or network segmentation.
  4. Deploy WAF rules to block requests to /dns/getresetstatus and /ftp/getresetstatus containing shell metacharacters in the statusfile parameter.
  5. Audit existing server configurations for unauthorized users, cron jobs, or web shells that may have been planted during exploitation.

Detection

  • Monitor HTTP access logs for GET requests to /dns/getresetstatus or /ftp/getresetstatus with unusual statusfile values.
  • Alert on shell metacharacters in URL parameters: ;, |, &, `, $(...), ||, &&.
  • Monitor process-spawn events initiated by the web server or application user.
  • Review system integrity for unauthorized file modifications, new cron entries, or unexpected outbound connections.
  • Cross-reference host indicators with CISA KEV entries and PSAUX ransomware IOCs.

Assessment

This vulnerability carries an EPSS score of 0.94878 (99.85th percentile), indicating an exceptionally high probability of active exploitation. It is formally listed in:

  • The CISA Known Exploited Vulnerabilities (KEV) Catalog (added 2024-12-04)
  • The EU Exploited Vulnerabilities Database (EUVD-2024-45807, added 2024-12-04)

The PSAUX ransomware campaign that targeted approximately 22,000 exposed CyberPanel instances in October 2024 underscores the real-world severity and the urgency of patching.

Key Lessons

  1. Authentication middleware must be uniformly enforced across all HTTP methods — applying checks only to POST while leaving GET unprotected is a critical design flaw.
  2. Never pass user-controlled input directly to shell commands — use parameterized APIs, strict allowlists, or robust escaping. Where shell execution is unavoidable, validate against a known-safe pattern.

References

Frequently asked questions

What is CVE-2024-51378?
getresetstatus in dns/views.py and ftp/views.py in CyberPanel (aka Cyber Panel) before 1c0c6cb allows remote attackers to bypass authentication and execute arbitrary commands via /dns/getresetstatus or /ftp/getresetstatus by bypassing secMiddleware (which is only for a POST request) and using shell metacharacters in the statusfile property, as exploited in the wild in October 2024 by PSAUX. Versions through 2.3.6 and (unpatched) 2.3.7 are affected.
How severe is CVE-2024-51378?
CVE-2024-51378 has a CVSS 3.x base score of 10.0, rated critical severity. It is exploitable over network with low attack complexity, requires no privileges and no user interaction. Impact on confidentiality is high, integrity high, and availability high.
Is CVE-2024-51378 being actively exploited?
Yes. CVE-2024-51378 is on CISA's Known Exploited Vulnerabilities (KEV) catalog, added on 2024-12-04, which means active exploitation has been confirmed. It should be prioritised for remediation.
What products are affected by CVE-2024-51378?
CVE-2024-51378 affects Cyberpanel. See the affected-products list for the exact vulnerable versions.
How do I fix CVE-2024-51378?
Review the linked vendor and NVD advisories for patched versions and mitigations, then upgrade or apply the recommended workaround. Because this CVE is known to be actively exploited, treat remediation as urgent — CISA KEV typically sets a short remediation deadline.
Does CVE-2024-51378 have an EU (EUVD) identifier?
Yes. CVE-2024-51378 is tracked in the ENISA EU Vulnerability Database (EUVD) as EUVD-2024-45807. It is also flagged as exploited in the EUVD (since 2024-12-04).
When was CVE-2024-51378 published?
CVE-2024-51378 was published on 2024-10-29 and last updated on 2026-06-17.

References

Affected products (1)

More vulnerabilities in Cyberpanel

All CVEs affecting Cyberpanel →

Other CWE-78 (OS Command Injection) vulnerabilities

Browse all CWE-78 (OS Command Injection) vulnerabilities →