U.S. CISA adds CyberPanel flaw to its Known Exploited Vulnerabilities catalog

U.S. Cybersecurity and Infrastructure Security Agency (CISA) adds CyberPanel flaw to its Known Exploited Vulnerabilities catalog.

The U.S. Cybersecurity and Infrastructure Security Agency (CISA) added the CyberPanel flaw CVE-2024-51378 (CVSS score: 10.0) to its Known Exploited Vulnerabilities (KEV) catalog.

The getresetstatus vulnerability in CyberPanel (before commit 1c0c6cb) affects dns/views.py and ftp/views.py. Remote attackers could bypass authentication and execute arbitrary commands by exploiting a flaw in secMiddleware, which only validates POST requests. Attackers can manipulate the statusfile property with shell metacharacters.

“getresetstatus in dns/views.py and ftp/views.py in CyberPanel (aka Cyber Panel) before 1c0c6cb allows remote attackers to bypass authentication and execute arbitrary commands via /dns/getresetstatus or /ftp/getresetstatus by bypassing secMiddleware (which is only for a POST request) and using shell metacharacters in the statusfile property, as exploited in the wild in October 2024 by PSAUX.” reads the advisory.

This vulnerability impacts versions up to 2.3.6 and the unpatched 2.3.7.

The vulnerability was exploited in a large-scale hacking campaign that targeted more than 22,000 CyberPanel instances. The attack aimed at deploying the PSAUX ransomware attack.

“the threat intel search engine LeakIX reported that 21,761 vulnerable CyberPanel instances were exposed online, and nearly half (10,170) were in the United States.” reported Bleeping Computer. “LeakIX has now told BleepingComputer that threat actors mass-exploited the exposed CyberPanel servers to install the PSAUX ransomware.”

The PSAUX ransomware operation has been active since June 2024, the threat actors exploit vulnerabilities and misconfigurations in exposed web servers to carry out attacks.

According to Binding Operational Directive (BOD) 22-01: Reducing the Significant Risk of Known Exploited Vulnerabilities, FCEB agencies have to address the identified vulnerabilities by the due date to protect their networks against attacks exploiting the flaws in the catalog.

Experts also recommend private organizations review the Catalog and address the vulnerabilities in their infrastructure.

CISA orders federal agencies to fix this vulnerability by December 25, 2024.

Follow me on Twitter: @securityaffairs and Facebook and Mastodon

Pierluigi Paganini

(SecurityAffairs – hacking, CISA Known Exploited Vulnerabilities catalog)