CyberPanel RCE (CVE-2024-51567/CVE-2024-51568/CVE-2024-51378)
Description
CyberPanel versions prior to 2.3.7 contain multiple critical vulnerabilities that can be chained together to achieve unauthenticated remote code execution. The attack begins with an authentication bypass (CVE-2024-51567) that allows attackers to access administrative functionality without credentials. This bypass can then be leveraged to exploit command injection vulnerabilities (CVE-2024-51568, CVE-2024-51378) in the DNS and upgrade modules, enabling arbitrary code execution with root privileges on the underlying server.
Remediation
1. Immediately upgrade CyberPanel to version 2.3.7 or later, which addresses all three CVEs. Run the following command as root to upgrade:
sh <(curl https://cyberpanel.net/install.sh || wget -O - https://cyberpanel.net/install.sh)
2. If immediate upgrading is not possible, temporarily restrict access to the CyberPanel web interface (ports 8090 and 7080) using firewall rules to allow only trusted IP addresses.
3. After upgrading, review system logs for any suspicious activity, particularly unauthorized access attempts or unexpected command executions in /var/log/.
4. Rotate all administrative credentials and API keys as a precautionary measure.
5. Conduct a security audit of all hosted websites and databases to ensure no unauthorized modifications were made.