CVE-2024-51567

CVE-2024-51567 is a critical-severity vulnerability in Cyberpanel with a CVSS 3.x base score of 10.0. It is listed in CISA's Known Exploited Vulnerabilities (KEV) catalog, confirming it has been exploited in the wild (added 2024-11-07). The underlying weakness is classified as CWE-306.

Key facts

Description

upgrademysqlstatus in databases/views.py in CyberPanel (aka Cyber Panel) before 5b08cd6 allows remote attackers to bypass authentication and execute arbitrary commands via /dataBases/upgrademysqlstatus by bypassing secMiddleware (which is only for a POST request) and using shell metacharacters in the statusfile property, as exploited in the wild in October 2024 by PSAUX. Versions through 2.3.6 and (unpatched) 2.3.7 are affected.

CVE-2024-51567: CyberPanel Authentication Bypass and Remote Command Execution

AI-generated analysis based on the vulnerability data on this page.

Attribute Value
CVE CVE-2024-51567
CVSS 3.1 10.0 CRITICAL (AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H)
EPSS 0.86725 (99.7th percentile)
KEV Listed 2024-11-07
CWE CWE-306 (Missing Authentication for Critical Function)
Affected CyberPanel through 2.3.6 and unpatched 2.3.7
Patched Commit 5b08cd6

Summary

CyberPanel's upgrademysqlstatus endpoint in databases/views.py allows unauthenticated remote attackers to bypass authentication and execute arbitrary commands. The vulnerability was actively exploited in the wild in October 2024 by the PSAUX ransomware group, targeting approximately 22,000 CyberPanel instances.

Background

CyberPanel is an open-source web hosting control panel built on OpenLiteSpeed and LiteSpeed Enterprise. The upgrademysqlstatus functionality is part of the database management module. In affected versions, this endpoint is exposed to the network without adequate access controls, making it reachable by any remote user.

Root Cause

The primary weakness is CWE-306: Missing Authentication for Critical Function. The secMiddleware authentication layer only applies to POST requests, leaving GET requests to /dataBases/upgrademysqlstatus unprotected. The statusfile parameter is passed directly to a shell command without proper sanitization, introducing command injection behavior (see also CWE-78 referenced in the advisory sources). The combination of authentication bypass and unsafe input handling allows pre-authentication remote code execution.

Impact

  • Attack Vector (AV): Network — exploitable remotely without network segmentation.
  • Attack Complexity (AC): Low — no special conditions or advanced techniques required.
  • Privileges Required (PR): None — completely unauthenticated.
  • User Interaction (UI): None — fully automated exploitation possible.
  • Scope (S): Changed — the vulnerable component impacts resources beyond its own security scope.
  • Confidentiality (C): High — complete data disclosure is possible.
  • Integrity (I): High — attacker can modify any data or system files.
  • Availability (A): High — the attacker can render the system fully unavailable.

This yields a CVSS 3.1 score of 10.0 (Critical).

Exploitation Walkthrough

Ethics and legal notice: This section is provided for defensive awareness only. Attempting to exploit systems without explicit authorization is illegal and unethical.

An attacker can send a GET request to the /dataBases/upgrademysqlstatus endpoint and supply a malicious statusfile value containing shell metacharacters. Because the endpoint is not protected by the authentication middleware for GET requests, the request is processed without credentials. The application passes the user-supplied statusfile value into a shell execution context, allowing the attacker to run arbitrary operating system commands with the privileges of the web server process.

Affected and Patched Versions

  • Affected: CyberPanel through version 2.3.6, and unpatched 2.3.7 installations.
  • Patched: Commit 5b08cd6 in the official CyberPanel repository. Users should upgrade to the latest available release beyond this commit.

Remediation

  1. Upgrade immediately to a CyberPanel version that includes commit 5b08cd6 or later.
  2. Restrict access to the CyberPanel administrative interface using network-level controls (IP allowlists, VPNs, or reverse proxy rules) until patching is complete.
  3. Web Application Firewall (WAF): Deploy rules that block requests to /dataBases/upgrademysqlstatus containing shell metacharacters in the statusfile parameter.
  4. Review middleware logic: Ensure authentication middleware applies uniformly across all HTTP methods (GET, POST, PUT, DELETE, etc.) for sensitive endpoints.

Detection

  • Monitor web access logs for GET requests to /dataBases/upgrademysqlstatus with unusual statusfile values, especially those containing shell metacharacters such as |, ;, &, `, $(), or redirect operators.
  • Correlate suspicious activity with known PSAUX ransomware indicators of compromise (IOCs) from the October 2024 campaign.
  • Check for unexpected child processes spawned by the CyberPanel application user or web server worker.
  • Review file integrity on CyberPanel installations for unauthorized modifications.

Assessment

With an EPSS score of 0.86725 (99.7th percentile), this vulnerability has an extremely high probability of being exploited in the wild. Its presence on the CISA Known Exploited Vulnerabilities (KEV) catalog (added 2024-11-07) confirms active exploitation. The PSAUX ransomware campaign demonstrated mass-scale impact, compromising approximately 22,000 instances.

Key lessons:

  • Authentication controls must not be method-specific; all HTTP methods for sensitive endpoints require uniform enforcement.
  • Any parameter that reaches a shell execution context must be strictly validated and sanitized, or preferably avoided entirely by using safe APIs.

References

Frequently asked questions

What is CVE-2024-51567?
upgrademysqlstatus in databases/views.py in CyberPanel (aka Cyber Panel) before 5b08cd6 allows remote attackers to bypass authentication and execute arbitrary commands via /dataBases/upgrademysqlstatus by bypassing secMiddleware (which is only for a POST request) and using shell metacharacters in the statusfile property, as exploited in the wild in October 2024 by PSAUX. Versions through 2.3.6 and (unpatched) 2.3.7 are affected.
How severe is CVE-2024-51567?
CVE-2024-51567 has a CVSS 3.x base score of 10.0, rated critical severity. It is exploitable over network with low attack complexity, requires no privileges and no user interaction. Impact on confidentiality is high, integrity high, and availability high.
Is CVE-2024-51567 being actively exploited?
Yes. CVE-2024-51567 is on CISA's Known Exploited Vulnerabilities (KEV) catalog, added on 2024-11-07, which means active exploitation has been confirmed. It should be prioritised for remediation.
What products are affected by CVE-2024-51567?
CVE-2024-51567 affects Cyberpanel. See the affected-products list for the exact vulnerable versions.
How do I fix CVE-2024-51567?
Review the linked vendor and NVD advisories for patched versions and mitigations, then upgrade or apply the recommended workaround. Because this CVE is known to be actively exploited, treat remediation as urgent — CISA KEV typically sets a short remediation deadline.
Does CVE-2024-51567 have an EU (EUVD) identifier?
Yes. CVE-2024-51567 is tracked in the ENISA EU Vulnerability Database (EUVD) as EUVD-2024-45733. It is also flagged as exploited in the EUVD (since 2024-11-07).
When was CVE-2024-51567 published?
CVE-2024-51567 was published on 2024-10-29 and last updated on 2026-06-17.

References

Affected products (1)

More vulnerabilities in Cyberpanel

All CVEs affecting Cyberpanel →

Other CWE-306 (Missing Authentication for Critical Function) vulnerabilities

Browse all CWE-306 (Missing Authentication for Critical Function) vulnerabilities →