What is CyberPanel?
CyberPanel is an open-source web hosting control panel. See CVE-2024-51567 for the full product context on the October 2024 mass exploitation event.
Overview
CVE-2024-51378 is an OS command injection vulnerability (CWE-78) in CyberPanel that is the second of two simultaneous CVSS 10.0 vulnerabilities exploited in the October 2024 mass PSAUX ransomware attack alongside CVE-2024-51567. Where CVE-2024-51567 exploits missing authentication on the upgrademysqlstatus endpoint, CVE-2024-51378 exploits shell metacharacter injection in the statusfile property, also allowing unauthenticated root command execution. CISA added this CVE to the KEV catalog one month after CVE-2024-51567, suggesting it was confirmed as an additional exploitation vector used in the same campaign.
Affected Versions
| Product | Vulnerable | Fixed |
|---|---|---|
| CyberPanel | < 2.3.8 | 2.3.8 |
Technical Details
The OS command injection (CWE-78) occurs in CyberPanel's statusfile property handling. Similar to CVE-2024-51567, insufficient authentication and input sanitization allows an unauthenticated attacker to inject shell metacharacters through the statusfile parameter of an API endpoint. The injected commands execute in the context of the CyberPanel process, which runs as root.
Attack characteristics:
- Unauthenticated — no credentials required (incorrect default permissions)
- Shell metacharacters injected via the
statusfileproperty bypass authentication and execute commands - Commands run as root with access to all hosted websites, databases, and system resources
Relationship to CVE-2024-51567: Both vulnerabilities were exploited simultaneously in the October 2024 PSAUX ransomware campaign. They represent two distinct injection paths in the same CyberPanel codebase — attackers likely used whichever path worked against each target's specific configuration or CyberPanel version. The one-month delay between CISA KEV listings (Nov 7 for 51567, Dec 4 for 51378) reflects that 51378's exploitation was confirmed separately from the initial wave.
Exploitation Context
Part of the same PSAUX ransomware mass exploitation campaign that compromised ~22,000 CyberPanel servers in October 2024. See CVE-2024-51567 for the full exploitation context including timeline, scale, and ransomware details.
Remediation
- Upgrade CyberPanel to 2.3.8 — patches both CVE-2024-51567 and CVE-2024-51378 simultaneously. The CISA deadline was December 25, 2024.
- Restrict CyberPanel to non-internet-facing access via IP allowlisting or VPN.
- Scan for PSAUX ransomware, cryptominers, and webshells on all hosted sites.
- See CVE-2024-51567 for full remediation guidance applicable to both CVEs.
Key Details
| Property | Value |
|---|---|
| CVE ID | CVE-2024-51378 |
| Vendor / Product | CyberPersons — CyberPanel |
| NVD Published | 2024-10-29 |
| NVD Last Modified | 2025-11-07 |
| CVSS 3.1 Score | 10 |
| CVSS 3.1 Vector | CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H |
| Severity | CRITICAL |
| CWE | CWE-78 find similar ↗ |
| CISA KEV Added | 2024-12-04 |
| CISA KEV Deadline | 2024-12-25 |
| Known Ransomware Use | ⚠️ Yes |
CVSS 3.1 Breakdown
Required Action
Timeline
| Date | Event |
|---|---|
| 2024-10-27 | Mass exploitation by PSAUX ransomware actors; ~22,000 servers compromised alongside CVE-2024-51567 |
| 2024-10-29 | CVE published; CyberPanel releases patch 2.3.8 |
| 2024-12-04 | CISA adds to KEV (one month after CVE-2024-51567 KEV listing) |
| 2024-12-25 | CISA BOD 22-01 remediation deadline |
References
| Resource | Type |
|---|---|
| CyberPanel Change Logs — Security Fixes | Vendor Advisory |
| NVD — CVE-2024-51378 | Vulnerability Database |
| CISA KEV Catalog Entry | US Government |