CVE-2024-51378

CRITICAL KEV RANSOMWARE NUCLEI

CyberPanel < 2.3.8 - Unauthenticated OS Command Injection via DNS/FTP getresetstatus Endpoint

Title source: llm
STIX 2.1

Exploitation Summary

CVE-2024-51378 is actively exploited and listed in the CISA Known Exploited Vulnerabilities (KEV) catalog, added December 4, 2024, with confirmed use in ransomware campaigns. EIP tracks 5 public exploits from researchers including Luka Petrovic (refr4g), refr4g, rimbadirgantara, including a Metasploit module exploits/unix/webapp/cyberpanel_preauth_rce_multi_cve. A Nuclei detection template is also available.

AI-analyzed exploit summary This exploit leverages a command injection vulnerability in CyberPanel versions 2.3.5 to 2.3.7 (pre-patch) via the '/ftp/getresetstatus' or '/dns/getresetstatus' endpoints. It bypasses CSRF protection and injects commands into the 'statusfile' parameter.

Description

getresetstatus in dns/views.py and ftp/views.py in CyberPanel (aka Cyber Panel) before 1c0c6cb allows remote attackers to bypass authentication and execute arbitrary commands via /dns/getresetstatus or /ftp/getresetstatus by bypassing secMiddleware (which is only for a POST request) and using shell metacharacters in the statusfile property, as exploited in the wild in October 2024 by PSAUX. Versions through 2.3.6 and (unpatched) 2.3.7 are affected.

Exploits (5)

exploitdb WORKING POC
by Luka Petrovic (refr4g) · pythonwebappsmultiple
https://www.exploit-db.com/exploits/52172

This exploit leverages a command injection vulnerability in CyberPanel versions 2.3.5 to 2.3.7 (pre-patch) via the '/ftp/getresetstatus' or '/dns/getresetstatus' endpoints. It bypasses CSRF protection and injects commands into the 'statusfile' parameter.

Classification
Working Poc 95%
Attack Type
Rce
Complexity
Trivial
Reliability
Reliable
Target: CyberPanel 2.3.5, 2.3.6, 2.3.7 (before patch)
No auth needed
Prerequisites: Target must be running vulnerable CyberPanel version · Endpoint must be accessible
devstral-2 · analyzed Feb 16, 2026 Full analysis →
nomisec WORKING POC 22 stars
by refr4g · remote
https://github.com/refr4g/CVE-2024-51378

This is a functional exploit for CVE-2024-51378, a command injection vulnerability in CyberPanel. It leverages crafted OPTIONS requests to vulnerable endpoints to achieve unauthenticated remote code execution.

Classification
Working Poc 95%
Attack Type
Rce
Complexity
Trivial
Reliability
Reliable
Target: CyberPanel v2.3.5, v2.3.6, v2.3.7 (before patch)
No auth needed
Prerequisites: Network access to the CyberPanel interface
devstral-2 · analyzed Feb 16, 2026 Full analysis →
nomisec WORKING POC
by rimbadirgantara · remote
https://github.com/rimbadirgantara/CVE-2024-51378

This repository contains a functional exploit for CVE-2024-51378, targeting CyberPanel versions up to 2.3.7. The exploit leverages a Remote Code Execution (RCE) vulnerability via CSRF token manipulation and endpoint injection, allowing arbitrary command execution or SSH key deployment.

Classification
Working Poc 95%
Attack Type
Rce
Complexity
Moderate
Reliability
Reliable
Target: CyberPanel <= 2.3.7
No auth needed
Prerequisites: Network access to vulnerable CyberPanel instance · Valid target list file
devstral-2 · analyzed Feb 16, 2026 Full analysis →
nomisec WORKING POC
by qnole000 · poc
https://github.com/qnole000/CVE-2024-51378

The repository contains a working PoC for CVE-2024-51378, demonstrating command injection via OPTIONS requests to specific endpoints in CyberPanel. It includes scripts for exploitation and scanning vulnerable hosts.

Classification
Working Poc 95%
Attack Type
Rce
Complexity
Trivial
Reliability
Reliable
Target: CyberPanel
No auth needed
Prerequisites: Network access to the target · Open port 8090 on the target
devstral-2 · analyzed Feb 16, 2026 Full analysis →
metasploit WORKING POC EXCELLENT
by DreyAnd, Valentin Lobstein, Luka Petrovic (refr4g) · rubypoc
https://github.com/rapid7/metasploit-framework/blob/master/modules/exploits/unix/webapp/cyberpanel_preauth_rce_multi_cve.rb

This Metasploit module exploits three separate unauthenticated Remote Code Execution vulnerabilities in CyberPanel (CVE-2024-51567, CVE-2024-51568, CVE-2024-51378) via command injection in different endpoints. It includes detection, vulnerability testing, and payload execution capabilities.

Classification
Working Poc 100%
Attack Type
Rce
Complexity
Moderate
Reliability
Reliable
Target: CyberPanel (versions affected by CVE-2024-51567, CVE-2024-51568, CVE-2024-51378)
No auth needed
Prerequisites: Network access to the target's CyberPanel interface (default port 8090) · Vulnerable version of CyberPanel
devstral-2 · analyzed Feb 16, 2026 Full analysis →

Nuclei Templates (1)

CyberPanel - Command Injection
CRITICALVERIFIEDby ritikchaddha
Shodan: html:"CyberPanel"
FOFA: app="CyberPanel"

References (8)

Core 8

Scores

CVSS v3 10.0
EPSS 0.9385
EPSS Percentile 99.9%
Attack Vector NETWORK
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H

CISA SSVC

Vulnrichment
Exploitation active
Automatable yes
Technical Impact total

Details

CISA KEV 2024-12-04
VulnCheck KEV 2024-10-26
InTheWild.io 2024-10-29
ENISA EUVD EUVD-2024-45807
Ransomware Use Confirmed
CWE
CWE-78
Status published
Products (1)
cyberpanel/cyberpanel < 2.3.8
Published Oct 29, 2024
KEV Added Dec 04, 2024
Tracked Since Feb 18, 2026