CVE-2024-51378 is a critical command injection vulnerability affecting CyberPanel, an open-source web hosting control panel widely used for managing DNS and FTP services. The vulnerability exists in the getresetstatus function within dns/views.py and ftp/views.py. The root cause is that the secMiddleware, which is intended to protect these endpoints, only enforces authentication for POST requests. However, the vulnerable endpoints accept GET requests, allowing attackers to bypass authentication by sending crafted GET requests to /dns/getresetstatus or /ftp/getresetstatus. Furthermore, the statusfile parameter is vulnerable to shell metacharacter injection, enabling attackers to execute arbitrary shell commands on the underlying system. This vulnerability is classified under CWE-78 (Improper Neutralization of Special Elements used in an OS Command). Exploitation requires no authentication or user interaction and can be performed remotely over the network. The vulnerability affects CyberPanel versions through 2.3.6 and the unpatched 2.3.7 release. Although no official patches are linked yet, the vulnerability was publicly disclosed on October 29, 2024, with confirmed exploitation in the wild by the PSAUX threat actor. The vulnerability’s CVSS v3.1 score is 10.0 (critical), reflecting its high impact on confidentiality, integrity, and availability, combined with ease of exploitation and no required privileges.

For European organizations, the impact of CVE-2024-51378 is severe. CyberPanel is commonly used by hosting providers, web administrators, and enterprises to manage DNS and FTP services. Successful exploitation allows attackers to execute arbitrary commands remotely without authentication, potentially leading to full system compromise. This can result in data theft, service disruption, defacement, ransomware deployment, or use of compromised servers as pivot points for further attacks. Organizations with public-facing CyberPanel installations are especially vulnerable. The breach of DNS management could allow attackers to manipulate domain records, redirect traffic, or intercept sensitive communications. FTP service compromise could expose sensitive files or credentials. Given the critical nature of the vulnerability and active exploitation, European entities relying on CyberPanel for critical infrastructure or customer-facing services face significant operational, reputational, and regulatory risks, including GDPR compliance issues if personal data is exposed.

1. Immediate action should be to upgrade CyberPanel to a patched version once available. Monitor official CyberPanel channels for security updates addressing CVE-2024-51378. 2. Until patches are released, restrict access to the /dns/getresetstatus and /ftp/getresetstatus endpoints using network-level controls such as firewall rules or IP whitelisting to trusted administrators only. 3. Implement web application firewall (WAF) rules to detect and block requests containing suspicious shell metacharacters or unusual query parameters targeting these endpoints. 4. Disable or limit the use of the affected endpoints if possible, or configure CyberPanel to reject GET requests on these paths, enforcing POST-only access as intended. 5. Conduct thorough audits of CyberPanel logs for indicators of compromise or exploitation attempts, focusing on unusual GET requests to the vulnerable endpoints. 6. Employ intrusion detection/prevention systems (IDS/IPS) tuned to detect command injection patterns. 7. Educate system administrators about the risk and ensure strong operational security practices, including regular backups and incident response readiness. 8. Consider isolating CyberPanel management interfaces from the public internet by placing them behind VPNs or jump hosts.