CVE-2024-51378 is a critical remote code execution (RCE) vulnerability affecting CyberPanel, a popular web hosting control panel. The flaw exists in the getresetstatus function within dns/views.py and ftp/views.py. The vulnerability stems from the secMiddleware authentication mechanism, which only enforces authentication on POST requests. However, the vulnerable endpoints /dns/getresetstatus and /ftp/getresetstatus accept GET requests that bypass this middleware, allowing unauthenticated access. Attackers exploit this by injecting shell metacharacters into the statusfile parameter, which is used unsafely in system commands, leading to arbitrary command execution on the server. This vulnerability is classified under CWE-78 (Improper Neutralization of Special Elements used in an OS Command). The issue affects all CyberPanel versions up to 2.3.6 and the unpatched 2.3.7 version. The CVSS v3.1 score is 10.0, reflecting its criticality with attack vector network, no privileges required, no user interaction, and complete impact on confidentiality, integrity, and availability. Exploitation in the wild was observed in October 2024 by the PSAUX threat actor. No official patches or mitigations were linked at the time of publication, increasing urgency for organizations to apply workarounds or restrict access to vulnerable endpoints.

The impact of CVE-2024-51378 is severe and far-reaching. Successful exploitation allows remote attackers to execute arbitrary commands on CyberPanel servers without authentication, leading to full system compromise. This can result in data theft, service disruption, deployment of malware or ransomware, and use of compromised servers as pivot points for further attacks within organizational networks. Given CyberPanel's role in managing DNS and FTP services, attackers could manipulate domain configurations or file transfers, undermining the integrity and availability of critical infrastructure. The vulnerability’s ease of exploitation and lack of required privileges make it highly attractive to attackers. Organizations worldwide using CyberPanel in hosting environments, especially those exposing management interfaces to the internet, face significant operational, reputational, and financial risks.

To mitigate CVE-2024-51378, organizations should immediately restrict external access to the /dns/getresetstatus and /ftp/getresetstatus endpoints by implementing network-level controls such as firewall rules or IP whitelisting. Disable or restrict GET requests to these endpoints if possible. Monitor web server logs for suspicious requests containing shell metacharacters or unusual statusfile parameter values. If feasible, apply custom middleware or web application firewall (WAF) rules to block exploitation attempts targeting these endpoints. Until an official patch is released, consider isolating CyberPanel management interfaces from public networks or using VPNs for administrative access. Regularly update CyberPanel to the latest version once patches addressing this vulnerability become available. Conduct thorough audits of affected systems for signs of compromise and review user access controls to limit potential damage.