Back to Home

CVE-2024-51378 CyberPanel: RCE vulnerability

In CyberPanel versions up to 2.3.7, an RCE vulnerability CVE-2024-51378 was discovered through getresetstatus endpoints. The article covers setting up a test environment, PoC exploitation, and patching recommendations to prevent server compromise.

RCE in CyberPanel: auth bypass and root access CVE-2024-51378
Advertisement 728x90

# Command Injection Vulnerability in CyberPanel CVE-2024-51378: Analysis and Exploitation

A command injection vulnerability (CVE-2024-51378) has been discovered in CyberPanel versions up to and including 2.3.7. It allows attackers to bypass authentication and execute arbitrary commands via the /dns/getresetstatus and /ftp/getresetstatus endpoints. The issue is pinpointed in the dns/views.py and ftp/views.py files. This grants an attacker full control over the server without any authorization.

CyberPanel: Purpose and Architecture

CyberPanel is an open-source web hosting control panel built on OpenLiteSpeed. It handles domains, databases, FTP, email, and DNS through a web interface on port 8090. It's popular among hosting providers and developers for seamless integration with modern tech stacks.

The vulnerability impacts Ubuntu/Debian servers with the panel installed. An attacker can gain root access, compromising all hosted services.

Google AdInline article slot

Setting Up a Test Environment

To verify the vulnerability, spin up a VPS with Ubuntu and install a vulnerable version of CyberPanel:

  • Update packages:
apt-get update
  • Install wget and download the installer:
apt install wget
cd /opt
wget -O installer.sh https://cyberpanel.net/install.sh
  • Run the installation:
chmod +x installer.sh
sh installer.sh

After rebooting, open https://<IP>:8090 for setup. This creates a test environment with vulnerable endpoints.

Technical Analysis of the Vulnerability

RCE stems from inadequate input validation in the /dns/getresetstatus and /ftp/getresetstatus handlers. Query parameters are passed directly to shell commands without proper escaping, enabling injection.

Google AdInline article slot

Example exploitation using the public PoC:

git clone https://github.com/refr4g/CVE-2024-51378.git
cd CVE-2024-51378
python3 CVE-2024-51378.py http://target.com:8090 /ftp/getresetstatus

The script sends a crafted request that executes the payload on the server. The outcome is a reverse shell or root-level command execution. In a test setup, this enables flag extraction or persistence.

Key Attack Vectors:

Google AdInline article slot
  • Bypassing authentication without credentials.
  • Execution of os.system() with user-controlled input.
  • Privilege escalation to root due to the panel's context.

Impact Metrics and Detection

The vulnerability scores CVSS 9.8 (Critical) and affects all installations before the 2.3.7 patch. To detect it, review logs in /home/cyberpanel/logs/ for suspicious /getresetstatus requests or monitor traffic on port 8090.

Verification Steps:

  • Check version: cyberpanel version.
  • Test endpoints with curl: curl 'http://target:8090/ftp/getresetstatus?param=;id'. If it returns uid=0(root), the vulnerability exists.
  • Use scanners like Nuclei with the CVE-2024-51378 template.

Remediation Measures

  • Update to 2.3.7+ with the patch: follow panel or CLI instructions.
  • Restrict access: firewall port 8090 (e.g., ufw allow from IP-range), or use VPN.
  • Deploy a WAF like ModSecurity to block injections.
  • Audit: grep -r 'getresetstatus' /usr/local/CyberCP/ for custom modifications.

Regular updates and least-privilege principles help minimize risks.

Key Takeaways

  • The vulnerability enables RCE without authentication via /dns/getresetstatus and /ftp/getresetstatus in versions ≤2.3.7.
  • Patch available; immediate updates critical for production.
  • Test your environment with the PoC before patching to avoid false positives.
  • Monitor port 8090 and logs for command injection patterns.
  • Limit external panel access via firewall/VPN.

— Editorial Team

Advertisement 728x90

Read Next