CVE-2024-51568
📋 TL;DR
CVE-2024-51568 is a critical command injection vulnerability in CyberPanel that allows unauthenticated attackers to execute arbitrary commands on affected systems. The vulnerability exists in the file upload functionality and can lead to complete system compromise. All CyberPanel installations before version 2.3.5 are affected.
💻 Affected Systems
- CyberPanel
📦 What is this software?
Cyberpanel by Cyberpanel
⚠️ Risk & Real-World Impact
Worst Case
Complete system takeover with root privileges, data exfiltration, ransomware deployment, and persistent backdoor installation.
Likely Case
Unauthenticated remote code execution leading to web server compromise, data theft, and lateral movement within the network.
If Mitigated
Limited impact if proper network segmentation, WAF rules, and strict access controls are implemented.
🎯 Exploit Status
Public exploit code is available and exploitation requires minimal technical skill due to the unauthenticated nature.
🛠️ Fix & Mitigation
✅ Official Fix
Patch Version: 2.3.5
Vendor Advisory: https://cyberpanel.net/blog/cyberpanel-v2-3-5
Restart Required: Yes
Instructions:
1. Backup your CyberPanel configuration and data. 2. Run 'sh <(curl https://cyberpanel.net/install.sh || wget -O - https://cyberpanel.net/install.sh)'. 3. Select option 1 for 'Install CyberPanel'. 4. The installer will detect existing installation and upgrade to 2.3.5. 5. Restart CyberPanel services.
🔧 Temporary Workarounds
Block File Manager Access
linuxTemporarily block access to the vulnerable /filemanager/upload endpoint
iptables -A INPUT -p tcp --dport 8090 -m string --string "/filemanager/upload" --algo bm -j DROP
Web Application Firewall Rule
allAdd WAF rule to block shell metacharacters in upload requests
ModSecurity rule: SecRule ARGS "[;|&`$()]" "phase:2,deny,id:1001,msg:'CVE-2024-51568 Block'"
Cloudflare WAF: Create rule blocking requests with shell metacharacters to /filemanager/*
🧯 If You Can't Patch
- Immediately isolate CyberPanel instance from internet access
- Implement strict network segmentation and monitor for suspicious file upload activity
🔍 How to Verify
Check if Vulnerable:
Check CyberPanel version via web interface admin panel or run: cat /usr/local/CyberCP/version.txtCheck Version:
cat /usr/local/CyberCP/version.txtVerify Fix Applied:
Verify version is 2.3.5 or higher: cat /usr/local/CyberCP/version.txt | grep -E '2\.3\.([5-9]|[1-9][0-9])'📡 Detection & Monitoring
Log Indicators:
- Unusual POST requests to /filemanager/upload containing shell metacharacters
- Suspicious commands in CyberPanel logs or system logs originating from web server user
Network Indicators:
- Unexpected outbound connections from CyberPanel server
- File upload requests with shell metacharacters in payload
SIEM Query:
source="cyberpanel.logs" AND (url="/filemanager/upload" AND (payload="*;*" OR payload="*|*" OR payload="*`*" OR payload="*$(*"))