# Command Injection Vulnerability in CyberPanel CVE-2024-51378: Analysis and Exploitation
A command injection vulnerability (CVE-2024-51378) has been discovered in CyberPanel versions up to and including 2.3.7. It allows attackers to bypass authentication and execute arbitrary commands via the /dns/getresetstatus and /ftp/getresetstatus endpoints. The issue is pinpointed in the dns/views.py and ftp/views.py files. This grants an attacker full control over the server without any authorization.
CyberPanel: Purpose and Architecture
CyberPanel is an open-source web hosting control panel built on OpenLiteSpeed. It handles domains, databases, FTP, email, and DNS through a web interface on port 8090. It's popular among hosting providers and developers for seamless integration with modern tech stacks.
The vulnerability impacts Ubuntu/Debian servers with the panel installed. An attacker can gain root access, compromising all hosted services.
Setting Up a Test Environment
To verify the vulnerability, spin up a VPS with Ubuntu and install a vulnerable version of CyberPanel:
- Update packages:
apt-get update
- Install wget and download the installer:
apt install wget
cd /opt
wget -O installer.sh https://cyberpanel.net/install.sh
- Run the installation:
chmod +x installer.sh
sh installer.sh
After rebooting, open https://<IP>:8090 for setup. This creates a test environment with vulnerable endpoints.
Technical Analysis of the Vulnerability
RCE stems from inadequate input validation in the /dns/getresetstatus and /ftp/getresetstatus handlers. Query parameters are passed directly to shell commands without proper escaping, enabling injection.
Example exploitation using the public PoC:
git clone https://github.com/refr4g/CVE-2024-51378.git
cd CVE-2024-51378
python3 CVE-2024-51378.py http://target.com:8090 /ftp/getresetstatus
The script sends a crafted request that executes the payload on the server. The outcome is a reverse shell or root-level command execution. In a test setup, this enables flag extraction or persistence.
Key Attack Vectors:
- Bypassing authentication without credentials.
- Execution of
os.system()with user-controlled input. - Privilege escalation to root due to the panel's context.
Impact Metrics and Detection
The vulnerability scores CVSS 9.8 (Critical) and affects all installations before the 2.3.7 patch. To detect it, review logs in /home/cyberpanel/logs/ for suspicious /getresetstatus requests or monitor traffic on port 8090.
Verification Steps:
- Check version:
cyberpanel version. - Test endpoints with curl:
curl 'http://target:8090/ftp/getresetstatus?param=;id'. If it returnsuid=0(root), the vulnerability exists. - Use scanners like Nuclei with the CVE-2024-51378 template.
Remediation Measures
- Update to 2.3.7+ with the patch: follow panel or CLI instructions.
- Restrict access: firewall port 8090 (e.g.,
ufw allow from IP-range), or use VPN. - Deploy a WAF like ModSecurity to block injections.
- Audit:
grep -r 'getresetstatus' /usr/local/CyberCP/for custom modifications.
Regular updates and least-privilege principles help minimize risks.
Key Takeaways
- The vulnerability enables RCE without authentication via
/dns/getresetstatusand/ftp/getresetstatusin versions ≤2.3.7. - Patch available; immediate updates critical for production.
- Test your environment with the PoC before patching to avoid false positives.
- Monitor port 8090 and logs for command injection patterns.
- Limit external panel access via firewall/VPN.
— Editorial Team
No comments yet.