CVE-2024-51567
CVE-2024-51567 is a critical-severity vulnerability in Cyberpanel with a CVSS 3.x base score of 10.0. It is listed in CISA's Known Exploited Vulnerabilities (KEV) catalog, confirming it has been exploited in the wild (added 2024-11-07). The underlying weakness is classified as CWE-306.
Key facts
- Severity: Critical (CVSS 3.x base score 10.0)
- EPSS exploit prediction: 87% (100th percentile)
- Actively exploited: Yes — listed in CISA KEV (added 2024-11-07)
- EU (EUVD) id: EUVD-2024-45733
- EU exploitation: Flagged exploited in the ENISA EU Vulnerability Database (since 2024-11-07)
- Weakness: CWE-306
- Affected product: Cyberpanel
- Published:
- Last modified:
Description
upgrademysqlstatus in databases/views.py in CyberPanel (aka Cyber Panel) before 5b08cd6 allows remote attackers to bypass authentication and execute arbitrary commands via /dataBases/upgrademysqlstatus by bypassing secMiddleware (which is only for a POST request) and using shell metacharacters in the statusfile property, as exploited in the wild in October 2024 by PSAUX. Versions through 2.3.6 and (unpatched) 2.3.7 are affected.
CVE-2024-51567: CyberPanel Authentication Bypass and Remote Command Execution
AI-generated analysis based on the vulnerability data on this page.
| Attribute | Value |
|---|---|
| CVE | CVE-2024-51567 |
| CVSS 3.1 | 10.0 CRITICAL (AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H) |
| EPSS | 0.86725 (99.7th percentile) |
| KEV | Listed 2024-11-07 |
| CWE | CWE-306 (Missing Authentication for Critical Function) |
| Affected | CyberPanel through 2.3.6 and unpatched 2.3.7 |
| Patched | Commit 5b08cd6 |
Summary
CyberPanel's upgrademysqlstatus endpoint in databases/views.py allows unauthenticated remote attackers to bypass authentication and execute arbitrary commands. The vulnerability was actively exploited in the wild in October 2024 by the PSAUX ransomware group, targeting approximately 22,000 CyberPanel instances.
Background
CyberPanel is an open-source web hosting control panel built on OpenLiteSpeed and LiteSpeed Enterprise. The upgrademysqlstatus functionality is part of the database management module. In affected versions, this endpoint is exposed to the network without adequate access controls, making it reachable by any remote user.
Root Cause
The primary weakness is CWE-306: Missing Authentication for Critical Function. The secMiddleware authentication layer only applies to POST requests, leaving GET requests to /dataBases/upgrademysqlstatus unprotected. The statusfile parameter is passed directly to a shell command without proper sanitization, introducing command injection behavior (see also CWE-78 referenced in the advisory sources). The combination of authentication bypass and unsafe input handling allows pre-authentication remote code execution.
Impact
- Attack Vector (AV): Network — exploitable remotely without network segmentation.
- Attack Complexity (AC): Low — no special conditions or advanced techniques required.
- Privileges Required (PR): None — completely unauthenticated.
- User Interaction (UI): None — fully automated exploitation possible.
- Scope (S): Changed — the vulnerable component impacts resources beyond its own security scope.
- Confidentiality (C): High — complete data disclosure is possible.
- Integrity (I): High — attacker can modify any data or system files.
- Availability (A): High — the attacker can render the system fully unavailable.
This yields a CVSS 3.1 score of 10.0 (Critical).
Exploitation Walkthrough
Ethics and legal notice: This section is provided for defensive awareness only. Attempting to exploit systems without explicit authorization is illegal and unethical.
An attacker can send a GET request to the /dataBases/upgrademysqlstatus endpoint and supply a malicious statusfile value containing shell metacharacters. Because the endpoint is not protected by the authentication middleware for GET requests, the request is processed without credentials. The application passes the user-supplied statusfile value into a shell execution context, allowing the attacker to run arbitrary operating system commands with the privileges of the web server process.
Affected and Patched Versions
- Affected: CyberPanel through version 2.3.6, and unpatched 2.3.7 installations.
- Patched: Commit
5b08cd6in the official CyberPanel repository. Users should upgrade to the latest available release beyond this commit.
Remediation
- Upgrade immediately to a CyberPanel version that includes commit
5b08cd6or later. - Restrict access to the CyberPanel administrative interface using network-level controls (IP allowlists, VPNs, or reverse proxy rules) until patching is complete.
- Web Application Firewall (WAF): Deploy rules that block requests to
/dataBases/upgrademysqlstatuscontaining shell metacharacters in thestatusfileparameter. - Review middleware logic: Ensure authentication middleware applies uniformly across all HTTP methods (GET, POST, PUT, DELETE, etc.) for sensitive endpoints.
Detection
- Monitor web access logs for GET requests to
/dataBases/upgrademysqlstatuswith unusualstatusfilevalues, especially those containing shell metacharacters such as|,;,&,`,$(), or redirect operators. - Correlate suspicious activity with known PSAUX ransomware indicators of compromise (IOCs) from the October 2024 campaign.
- Check for unexpected child processes spawned by the CyberPanel application user or web server worker.
- Review file integrity on CyberPanel installations for unauthorized modifications.
Assessment
With an EPSS score of 0.86725 (99.7th percentile), this vulnerability has an extremely high probability of being exploited in the wild. Its presence on the CISA Known Exploited Vulnerabilities (KEV) catalog (added 2024-11-07) confirms active exploitation. The PSAUX ransomware campaign demonstrated mass-scale impact, compromising approximately 22,000 instances.
Key lessons:
- Authentication controls must not be method-specific; all HTTP methods for sensitive endpoints require uniform enforcement.
- Any parameter that reaches a shell execution context must be strictly validated and sanitized, or preferably avoided entirely by using safe APIs.
References
- https://cwe.mitre.org/data/definitions/420.html
- https://cwe.mitre.org/data/definitions/78.html
- https://cyberpanel.net/KnowledgeBase/home/change-logs/
- https://cyberpanel.net/blog/detials-and-fix-of-recent-security-issue-and-patch-of-cyberpanel
- https://dreyand.rs/code/review/2024/10/27/what-are-my-options-cyberpanel-v236-pre-auth-rce
- https://github.com/usmannasir/cyberpanel/commit/5b08cd6d53f4dbc2107ad9f555122ce8b0996515
- https://www.bleepingcomputer.com/news/security/massive-psaux-ransomware-attack-targets-22-000-cyberpanel-instances/
- https://www.cisa.gov/known-exploited-vulnerabilities-catalog?field_cve=CVE-2024-51567
Frequently asked questions
- What is CVE-2024-51567?
- upgrademysqlstatus in databases/views.py in CyberPanel (aka Cyber Panel) before 5b08cd6 allows remote attackers to bypass authentication and execute arbitrary commands via /dataBases/upgrademysqlstatus by bypassing secMiddleware (which is only for a POST request) and using shell metacharacters in the statusfile property, as exploited in the wild in October 2024 by PSAUX. Versions through 2.3.6 and (unpatched) 2.3.7 are affected.
- How severe is CVE-2024-51567?
- CVE-2024-51567 has a CVSS 3.x base score of 10.0, rated critical severity. It is exploitable over network with low attack complexity, requires no privileges and no user interaction. Impact on confidentiality is high, integrity high, and availability high.
- Is CVE-2024-51567 being actively exploited?
- Yes. CVE-2024-51567 is on CISA's Known Exploited Vulnerabilities (KEV) catalog, added on 2024-11-07, which means active exploitation has been confirmed. It should be prioritised for remediation.
- What products are affected by CVE-2024-51567?
- CVE-2024-51567 affects Cyberpanel. See the affected-products list for the exact vulnerable versions.
- How do I fix CVE-2024-51567?
- Review the linked vendor and NVD advisories for patched versions and mitigations, then upgrade or apply the recommended workaround. Because this CVE is known to be actively exploited, treat remediation as urgent — CISA KEV typically sets a short remediation deadline.
- Does CVE-2024-51567 have an EU (EUVD) identifier?
- Yes. CVE-2024-51567 is tracked in the ENISA EU Vulnerability Database (EUVD) as EUVD-2024-45733. It is also flagged as exploited in the EUVD (since 2024-11-07).
- When was CVE-2024-51567 published?
- CVE-2024-51567 was published on 2024-10-29 and last updated on 2026-06-17.
References
- https://cwe.mitre.org/data/definitions/420.html
- https://cwe.mitre.org/data/definitions/78.html
- https://cyberpanel.net/KnowledgeBase/home/change-logs/
- https://cyberpanel.net/blog/detials-and-fix-of-recent-security-issue-and-patch-of-cyberpanel
- https://dreyand.rs/code/review/2024/10/27/what-are-my-options-cyberpanel-v236-pre-auth-rce
- https://github.com/usmannasir/cyberpanel/commit/5b08cd6d53f4dbc2107ad9f555122ce8b0996515
- https://www.bleepingcomputer.com/news/security/massive-psaux-ransomware-attack-targets-22-000-cyberpanel-instances/
- https://www.cisa.gov/known-exploited-vulnerabilities-catalog?field_cve=CVE-2024-51567
Affected products (1)
- cpe:2.3:a:cyberpanel:cyberpanel:*:*:*:*:*:*:*:*
More vulnerabilities in Cyberpanel
- CVE-2024-51568 — Critical (CVSS 10.0): CyberPanel (aka Cyber Panel) before 2.3.5 allows Command Injection via completePath in the…
- CVE-2024-51378 — Critical (CVSS 10.0): getresetstatus in dns/views.py and ftp/views.py in CyberPanel (aka Cyber Panel) before 1c0c6cb allows remote attackers…
- CVE-2026-41473 — Critical (CVSS 9.1): CyberPanel versions prior to 2.4.4 contain an authentication bypass vulnerability in the AI Scanner worker API…
- CVE-2024-53376 — High (CVSS 8.8): CyberPanel before 2.3.8 allows remote authenticated users to execute arbitrary commands via shell metacharacters in the…
- CVE-2019-13056 — High (CVSS 8.8): An issue was discovered in CyberPanel through 1.8.4. On the user edit page, an attacker can edit the administrator's…
- CVE-2026-41472 — Medium (CVSS 6.1): CyberPanel versions prior to 2.4.4 contain a stored cross-site scripting vulnerability in the AI Scanner dashboard…
All CVEs affecting Cyberpanel →
Other CWE-306 (Missing Authentication for Critical Function) vulnerabilities
- CVE-2026-54309 — Critical (CVSS 10.0): n8n is an open source workflow automation platform. Prior to 2.25.7 and 2.26.2, when @n8n/mcp-browser is run in HTTP…
- CVE-2026-50242 — Critical (CVSS 10.0): In JetBrains Hub before 2026.1.13757, 2025.3.148033, 2025.2.148048, 2025.1.148120, 2024.3.148430, 2024.2.148429…
- CVE-2026-49257 — Critical (CVSS 10.0): mcp-pinot is a Python-based Model Context Protocol (MCP) server for interacting with Apache Pinot. In versions 3.0.1…
- CVE-2026-46846 — Critical (CVSS 10.0): Vulnerability in the Oracle WebCenter Portal product of Oracle Fusion Middleware (component: Security Framework).…
- CVE-2026-46803 — Critical (CVSS 10.0): Vulnerability in the Oracle WebCenter Portal product of Oracle Fusion Middleware (component: Security Framework).…
- CVE-2026-46800 — Critical (CVSS 10.0): Vulnerability in the Oracle WebCenter Sites product of Oracle Fusion Middleware (component: WebCenter Sites).…
Browse all CWE-306 (Missing Authentication for Critical Function) vulnerabilities →