CVE-2024-51567

What is CyberPanel?

CyberPanel is an open-source web hosting control panel that manages WordPress sites, email servers, FTP accounts, DNS, and SSL certificates — commonly used by web hosting providers, resellers, and independent hosting operators to manage shared web hosting environments. Because CyberPanel manages multiple hosted websites per server and runs as root, vulnerabilities in CyberPanel can compromise all sites hosted on the server simultaneously.

Overview

CVE-2024-51567 is a missing authentication vulnerability (CWE-306) in CyberPanel's upgrademysqlstatus endpoint that allows a remote unauthenticated attacker to execute arbitrary commands as root on the CyberPanel server. The CVSS 10.0 maximum score reflects that the vulnerability is pre-authentication, no-interaction, network-reachable, and achieves full system compromise across all hosted sites (Changed scope S:C). Mass exploitation occurred the same day a proof-of-concept was published — approximately 22,000 CyberPanel instances were compromised within hours, with PSAUX ransomware deployed across many of them.

Affected Versions

Technical Details

The missing authentication (CWE-306) is in the upgrademysqlstatus API endpoint, accessible without credentials. The endpoint is intended for MySQL service status management but uses shell_exec() or similar to run system commands. By crafting a request with shell metacharacters in parameters — enabled by the missing authentication check — an unauthenticated attacker can execute arbitrary commands as root.

Mass exploitation timeline:

• October 27, 2024: LeakIX identified active mass scanning and exploitation
• Within hours: ~22,000 of the ~28,000 internet-exposed CyberPanel instances were compromised
• PSAUX ransomware (a new ransomware targeting Linux servers) deployed on thousands of compromised servers
• Attackers also deployed cryptominers and web shells alongside ransomware

Companion CVE-2024-51378: Also affects CyberPanel, same CVSS 10.0, different mechanism (shell metacharacter injection in statusfile property via the same incorrect default permissions pattern). Both were exploited in the same campaign.

Discovery

DreyAnd security researcher, coordinated with CyberPanel team. Mass exploitation discovered simultaneously by LeakIX monitoring infrastructure.

Exploitation Context

One of the fastest mass-exploitation events in 2024: from proof-of-concept publication to 22,000 compromised servers within approximately 24 hours. PSAUX ransomware was designed specifically for Linux web hosting environments — it encrypted web content, databases, and backups while displaying a ransom note on affected websites. Many hosting providers lost customer sites and data without backup recovery options.

The attack demonstrates the catastrophic potential of CVSS 10.0 vulnerabilities in widely deployed web infrastructure: a single PoC publication triggered a global, automated attack wave.

Remediation

1. Upgrade CyberPanel to 2.3.8 immediately. The CISA deadline was November 28, 2024.
2. Restrict CyberPanel management interface access — the panel should not be internet-accessible. Place it behind a VPN or restrict to known admin IP addresses.
3. Verify hosted site integrity — scan all hosted websites for webshell files (.php with obfuscated code), PSAUX ransomware artifacts, and unauthorized file modifications.
4. Restore from clean backups if PSAUX or other ransomware was deployed — encrypted files cannot be recovered without the decryption key.
5. Apply the companion patch for CVE-2024-51378 from the same update.
6. Audit CyberPanel for other default credential and permission issues — the vulnerability class (incorrect default permissions) suggests systemic configuration security issues.