www.belgium.be Logo of the federal government

WARNING: CRITICAL VULNERABILITIES IN CYBERPANEL ARE UNDER ACTIVE EXPLOITATION TO DELIVER RANSOMWARE

Reference: 
Advisory #2024-253
Version: 
1.0
Affected software: 
CyberPanel
Type: 
Remote code execution
CVE/CVSS: 

CVE-2024-51378
CVSS 10 (CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H)

CVE-2024-51567
CVSS 10 (CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H)

CVE-2024-51568
CVSS 10 (CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H)

Sources

Risks

In October 2024, CyberPanel addressed 3 critical vulnerabilities in the CyberPanel control panel versions 2.3.6 and 2.3.7. Two of these vulnerabilities are being actively exploited to deliver PSAUX ransomware.  

CyberPanel is an open-source, widely-used control panel for managing web hosting and server environments. As of 28 October 2024, a vulnerability scan showed around 22.000 vulnerable instances in the world.

Exploitation of these vulnerabilities can have a high impact on confidentiality, integrity and availability.

Description

CVE-2024-51378 is a command injection vulnerability in the getresetstatus in dns/views.py and ftp/views.py in CyberPanel. Successful exploitation of this vulnerability would allow remote attackers to bypass authentication and execute arbitrary commands. CVE-2024-51378 has been exploited in the wild by PSAUX ransomware.

CVE-2024-51567 is a flaw in the upgrademysqlstatus in databases/views.py in CyberPanel. When successfully exploited, remote attackers can bypass authentication and execute arbitrary commands. CVE-2024-51567 has been exploited in the wild by PSAUX ransomware.

CVE-2024-51568 is a command injection vulnerability in CyberPanel. Successful exploitation of this vulnerability allows an unauthenticated remote attacker to perform remote code execution via shell metacharacters. There is no information indicating that PSAUX ransomware has been exploiting this specific vulnerability.

Recommended Actions

Patch

The Centre for Cybersecurity Belgium strongly recommends installing updates for vulnerable devices with the highest priority, after thorough testing.

CyberPanel urges customers to implement the newest version as soon as possible.

 

Monitor/Detect

The CCB recommends organizations upscale monitoring and detection capabilities to identify any related suspicious activity, ensuring a swift response in case of an intrusion.

In case of an intrusion, you can report an incident via: https://ccb.belgium.be/en/cert/report-incident.

While patching appliances or software to the newest version may provide safety from future exploitation, it does not remediate historic compromise.

References