CVE-2024-51568

Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection') (CWE-78)

Published: Oct 29, 2024 / Updated: 21d ago

010
CVSS 10EPSS 0.05%Critical
CVE info copied to clipboard

Summary

CyberPanel (aka Cyber Panel) before version 2.3.5 contains a Command Injection vulnerability in the ProcessUtilities.outputExecutioner() sink. This vulnerability can be exploited through the /filemanager/upload (File Manager upload) functionality, allowing unauthenticated remote code execution via shell metacharacters.

Impact

This vulnerability has severe impacts: 1. Unauthenticated Access: Attackers can exploit this vulnerability without needing any authentication, significantly lowering the barrier for exploitation. 2. Remote Code Execution: Attackers can execute arbitrary code on the affected system, potentially leading to full system compromise. 3. High Confidentiality Impact: Attackers may access, modify, or exfiltrate sensitive data stored on the system. 4. High Integrity Impact: The ability to execute arbitrary commands allows attackers to modify system files and data, compromising the integrity of the affected system. 5. High Availability Impact: Attackers could disrupt services, delete critical files, or render the system inoperable. 6. Scope Change: The vulnerability may allow attackers to impact resources beyond the vulnerable component, potentially affecting other parts of the infrastructure.

Exploitation

There is no evidence that a public proof-of-concept exists. There is no evidence of proof of exploitation at the moment.

Patch

A patch is available. CyberPanel version 2.3.5 and later have addressed this vulnerability. Users should upgrade to version 2.3.5 or the latest available version to mitigate this issue.

Mitigation

1. Immediate Upgrade: Upgrade CyberPanel to version 2.3.5 or the latest available version as soon as possible. 2. Network Segmentation: If immediate patching is not possible, isolate CyberPanel servers from untrusted networks. 3. Web Application Firewall (WAF): Implement a WAF to help filter out malicious requests targeting the vulnerable endpoint. 4. Access Control: Restrict access to the /filemanager/upload functionality to only trusted, authenticated users if possible. 5. Monitoring: Implement robust logging and monitoring for any suspicious activities, particularly focusing on file upload operations and unexpected command executions. 6. Regular Security Audits: Conduct regular security assessments to identify and address similar vulnerabilities in the future.

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H

Timeline

CVE Assignment

NVD published the first details for CVE-2024-51568

Oct 29, 2024 at 11:15 PM
CVSS

A CVSS base score of 10 has been assigned.

Oct 29, 2024 at 11:20 PM / nvd
First Article

Feedly found the first article mentioning CVE-2024-51568. See article

Oct 29, 2024 at 11:22 PM / Vulners.com RSS Feed
CVSS Estimate

Feedly estimated the CVSS score as HIGH

Oct 29, 2024 at 11:22 PM
Exploitation in the Wild

Attacks in the wild have been reported by Vulnerability Archives • Cybersecurity News. See article

Threat Intelligence Report

CVE-2024-51568 is a critical command injection vulnerability in CyberPanel's ProcessUtilities.outputExecutioner() function, allowing unauthenticated attackers to execute arbitrary commands via file uploads in the File Manager, leading to remote code execution. This flaw is currently under active exploitation by threat actors deploying PSAUX ransomware, and it affects CyberPanel versions 2.3.6 and 2.3.7. There is no information provided regarding CVSS scores, proof-of-concept exploits, mitigations, detections, patches, or downstream impacts on third-party vendors. See article

Oct 30, 2024 at 2:50 AM
Attribution of Exploits

The vulnerability is known to be exploited by PSAUX. See article

Oct 30, 2024 at 8:38 AM / Talkback Resources
EPSS

EPSS Score was set to: 0.05% (Percentile: 16.7%)

Oct 30, 2024 at 10:18 AM
Static CVE Timeline Graph

Affected Systems

Cyberpanel/cyberpanel
+null more

Links to Malware Families

PSAUX
+null more

Attack Patterns

CAPEC-108: Command Line Execution through SQL Injection
+null more

References

Over 22,000 CyberPanel Servers at Risk from Critical Vulnerabilities Exploitation by PSAUX Ransomware | #hacking | #cybersecurity | #infosec | #comptia | #pentest | #ransomware
Threat actor’s have been actively exploiting three Remote Code Execution (RCE) vulnerabilities in CyberPanel, a popular web hosting control panel. The affected CyberPanel versions include 2.3.6 and 2.3.7, enabling attackers to completely take over vulnerable systems.
Over 22,000 CyberPanel Servers at Risk from Critical Vulnerabilities Exploitation by PSAUX Ransomware
Over 22,000 CyberPanel Servers at Risk from Critical Vulnerabilities Exploitation by PSAUX Ransomware Threat actor’s have been actively exploiting three Remote Code Execution (RCE) vulnerabilities in CyberPanel, a popular web hosting control panel.
Over 22,000 CyberPanel Servers at Risk from Critical Vulnerabilities Exploitation by PSAUX Ransomware
Over 22,000 CyberPanel Servers at Risk from Critical Vulnerabilities Exploitation by PSAUX Ransomware Threat actor’s have been actively exploiting three Remote Code Execution (RCE) vulnerabilities in CyberPanel, a popular web hosting control panel.
See 2 more references

News

November 8 Advisory: CyberPanel Command Injection Vulnerabilities [CVE-2024-51567, CVE-2024-51568]
Last week, we reported on CVE-2024-51378, a critical unauthenticated remote code execution (RCE) vulnerability in CyberPanel through the getresetstatus endpoint, which is actively being exploited by various ransomware gangs including the PSAUX operation. CVE-2024-51567 exploits the upgrademysqlstatus asset in databases/views.py before 5b08cd6, allowing remote attackers to bypass authentication and execute arbitrary commands via /dataBases/upgrademysqlstatus by bypassing secMiddleware (which is only for a POST request) and using shell metacharacters in the statusfile property, as exploited in the wild in October 2024 by PSAUX.
Major IT Vulnerabilities Reported In Fortinet, SonicWall, Grafana
Organizations are urged to quickly assess their environments for these vulnerabilities and implement necessary patches and mitigations. While Fortinet did notify some customers of a vulnerability in FortiManager with recommended mitigations, reports indicate that not all customers received this communication, highlighting a potential gap in the advisory process.
Vulnerable Fortinet, SonicWall devices proliferate online
While 427,000 Fortinet devices running on FortiOS, FortiProxy, FortiSwitchManager, and FortiPAM iterations impacted by the critical CVE-2024-23113 flaw, another 62,000 FortiManager instances remain susceptible to attacks leveraging the CVE-2024-47575 bug, also known as FortiJump.
New Vulnerabilities in Fortinet, SonicWall, and Grafana Pose Significant Risks
Organizations are urged to quickly assess their environments for these vulnerabilities and implement necessary patches and mitigations. While Fortinet did notify some customers of a vulnerability in FortiManager with recommended mitigations, reports indicate that not all customers received this communication, highlighting a potential gap in the advisory process.
What Are My OPTIONS? CyberPanel v2.3.6 pre-auth RCE
Few months ago I was assigned to do a pentest on a target running CyberPanel. It seemed to be installed by default by some VPS providers & it was also sponsored by Freshworks. I was clueless on how to pwn the target as the functionalities were very limited, so I thought about it differently, let’s […]
See 28 more articles and social media posts

CVSS V3.1

Attack Vector:Network
Attack Complexity:Low
Privileges Required:None
User Interaction:None
Scope:Changed
Confidentiality:High
Integrity:High
Availability Impact:High

Categories

Be the first to know about critical vulnerabilities

Collect, analyze, and share vulnerability reports faster using AI