CVE-2024-51567 is a critical vulnerability found in CyberPanel, a popular web hosting control panel, specifically in the upgrademysqlstatus function located in databases/views.py. The flaw arises because the secMiddleware, designed to protect the /dataBases/upgrademysqlstatus endpoint, only enforces authentication on POST requests. However, attackers can bypass this by sending non-POST requests, thereby circumventing the middleware. Furthermore, the vulnerability allows injection of shell metacharacters through the statusfile parameter, enabling remote attackers to execute arbitrary commands on the underlying operating system without any authentication or user interaction. This results in a complete compromise of the affected server, impacting confidentiality, integrity, and availability. The vulnerability affects CyberPanel versions through 2.3.6 and the unpatched 2.3.7. Although no official patches have been released at the time of publication, exploitation has been observed in the wild since October 2024, attributed to the PSAUX threat actor. The CVSS v3.1 base score is 10.0, reflecting the ease of exploitation (network vector, no privileges required), the critical impact on all security properties, and the scope change due to potential lateral movement within networks. The CWE classification is CWE-306 (Missing Authentication for Critical Function), highlighting the root cause as inadequate authentication enforcement. This vulnerability is particularly dangerous because it allows unauthenticated remote attackers to gain full control over CyberPanel servers, which often manage web hosting environments and databases, making it a high-value target for attackers.

For European organizations, the impact of CVE-2024-51567 is severe. CyberPanel is widely used for managing web hosting and database services, often in small to medium enterprises and some larger hosting providers. Successful exploitation leads to full system compromise, allowing attackers to steal sensitive data, deploy ransomware, pivot within networks, or disrupt services. This can result in significant data breaches, operational downtime, and reputational damage. Critical sectors such as finance, healthcare, and government entities using CyberPanel for hosting internal or customer-facing applications are at heightened risk. Additionally, the vulnerability's ease of exploitation and lack of authentication requirements increase the likelihood of automated mass scanning and exploitation campaigns targeting European IP ranges. The potential for lateral movement within compromised networks could also threaten supply chains and interconnected systems. Given the criticality and public exposure of many CyberPanel instances, the threat poses a substantial risk to European digital infrastructure and data privacy compliance obligations under GDPR.

Since no official patches are currently available, European organizations should implement immediate compensating controls. First, restrict network access to the /dataBases/upgrademysqlstatus endpoint by implementing firewall rules or web application firewall (WAF) policies that block all non-POST requests or requests to this path from untrusted sources. Second, apply strict input validation and sanitization on the statusfile parameter if custom modifications are possible. Third, monitor logs for unusual access patterns or command execution attempts related to this endpoint. Fourth, consider temporarily disabling or isolating CyberPanel instances exposed to the internet until patches are released. Fifth, conduct thorough audits of all CyberPanel servers to detect signs of compromise, including unexpected processes, new user accounts, or altered configurations. Finally, maintain up-to-date backups and prepare incident response plans tailored to potential ransomware or data exfiltration scenarios stemming from this vulnerability. Organizations should also subscribe to CyberPanel security advisories and apply official patches immediately upon release.