CVE-2024-51378 – This vulnerability allows remote attackers to b... (How to Fix)

Q: What is the severity of CVE-2024-51378?

CVE-2024-51378 has a CVSS score of 10.0 (CRITICAL). This vulnerability allows remote attackers to bypass authentication and execute arbitrary commands on CyberPanel servers. Attackers can exploit unauthenticated endpoints to run shell commands via shell metacharacter injection. All CyberPanel installations up to version 2.3.7 are affected.

📋 TL;DR

This vulnerability allows remote attackers to bypass authentication and execute arbitrary commands on CyberPanel servers. Attackers can exploit unauthenticated endpoints to run shell commands via shell metacharacter injection. All CyberPanel installations up to version 2.3.7 are affected.

💻 Affected Systems

Products:

CyberPanel (aka Cyber Panel)

Versions: All versions before commit 1c0c6cb, including through 2.3.6 and unpatched 2.3.7

Operating Systems: Linux

Default Config Vulnerable: ⚠️ Yes

Notes: Affects both DNS and FTP modules via /dns/getresetstatus and /ftp/getresetstatus endpoints. The middleware protection only applies to POST requests, allowing GET request bypass.

📦 What is this software?

Cyberpanel by Cyberpanel

View all CVEs affecting Cyberpanel →

⚠️ Risk & Real-World Impact

🔴

Worst Case

Complete system compromise allowing attackers to execute arbitrary commands as the web server user, potentially leading to data theft, ransomware deployment, or lateral movement within the network.

🟠

Likely Case

Remote code execution leading to web server compromise, data exfiltration, or installation of backdoors and cryptocurrency miners.

🟢

If Mitigated

Limited impact if proper network segmentation, web application firewalls, and least privilege principles are implemented.

🌐 Internet-Facing: HIGH - The vulnerability is remotely exploitable without authentication and affects internet-facing control panels.

🏢 Internal Only: HIGH - Even internally, the vulnerability allows unauthenticated command execution on affected systems.

🎯 Exploit Status

Public PoC: ⚠️ Yes

Weaponized: CONFIRMED

Unauthenticated Exploit: ⚠️ Yes

Complexity: LOW

Actively exploited in the wild since October 2024 by threat actor PSAUX. Exploit requires minimal technical skill due to public details and simple injection vectors.

🛠️ Fix & Mitigation

✅ Official Fix

Patch Version: Fixed in commit 1c0c6cb and subsequent releases

Vendor Advisory: https://cyberpanel.net/blog/detials-and-fix-of-recent-security-issue-and-patch-of-cyberpanel

Restart Required: Yes

Instructions:

1. Update CyberPanel to latest version via CyberPanel interface or command line. 2. Apply commit 1c0c6cb if using source installation. 3. Restart CyberPanel services and web server.

🔧 Temporary Workarounds

Block vulnerable endpoints

linux

Block access to /dns/getresetstatus and /ftp/getresetstatus endpoints at web server or firewall level

# For Apache: RewriteRule ^/(dns|ftp)/getresetstatus - [F,L]
# For Nginx: location ~ ^/(dns|ftp)/getresetstatus { return 403; }

Restrict network access

linux

Limit CyberPanel access to trusted IP addresses only

# iptables example: iptables -A INPUT -p tcp --dport 8090 -s TRUSTED_IP -j ACCEPT
iptables -A INPUT -p tcp --dport 8090 -j DROP

🧯 If You Can't Patch

Immediately block the vulnerable endpoints (/dns/getresetstatus and /ftp/getresetstatus) at the web server or firewall level
Isolate affected systems from the internet and restrict network access to only necessary administrative IPs

🔍 How to Verify

Check if Vulnerable:

Check if CyberPanel version is 2.3.6 or earlier, or unpatched 2.3.7. Test if /dns/getresetstatus or /ftp/getresetstatus endpoints are accessible without authentication.

Check Version:

cyberpanel --version or check /usr/local/CyberPanel/version.txt

Verify Fix Applied:

Verify CyberPanel version is updated beyond commit 1c0c6cb. Test that /dns/getresetstatus and /ftp/getresetstatus endpoints now properly enforce authentication and sanitize input.

📡 Detection & Monitoring

Log Indicators:

Unusual POST/GET requests to /dns/getresetstatus or /ftp/getresetstatus
Shell command execution patterns in web server logs
Failed authentication attempts bypassing middleware

Network Indicators:

Unusual outbound connections from CyberPanel server
Traffic to known malicious IPs or domains
Unexpected process execution on port 8090

SIEM Query:

source="web_server_logs" AND (uri="/dns/getresetstatus" OR uri="/ftp/getresetstatus") AND (status="200" OR method="GET")

📊 Metadata

CVE ID: CVE-2024-51378

CVSS v3 Score: 10.0 (CRITICAL)

CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H

CWE: CWE-78

Published: October 29, 2024

Last Updated: November 7, 2025

🔗 References

https://cwe.mitre.org/data/definitions/420.html Not Applicable
https://cwe.mitre.org/data/definitions/78.html Not Applicable
https://cyberpanel.net/KnowledgeBase/home/change-logs/ Release Notes
https://cyberpanel.net/blog/detials-and-fix-of-recent-security-issue-and-patch-of-cyberpanel Product
https://github.com/usmannasir/cyberpanel/commit/1c0c6cbcf71abe573da0b5fddfb9603e7477f683 Patch
https://refr4g.github.io/posts/cyberpanel-command-injection-vulnerability/ Exploit
https://www.bleepingcomputer.com/news/security/massive-psaux-ransomware-attack-targets-22-000-cyberpanel-instances/ Exploit,Press/Media Coverage
https://www.cisa.gov/known-exploited-vulnerabilities-catalog?field_cve=CVE-2024-51378 US Government Resource

📤 Share & Export

📄 Export Markdown 📋 Export JSON

🔗 Related Vulnerabilities

If you're affected by CVE-2024-51378, you might also want to check these: