CVE-2024-51567

CRITICAL KEV RANSOMWARE NUCLEI

CyberPanel Multi CVE Pre-auth RCE

Title source: metasploit
STIX 2.1

Exploitation Summary

CVE-2024-51567 is actively exploited and listed in the CISA Known Exploited Vulnerabilities (KEV) catalog, added November 7, 2024, with confirmed use in ransomware campaigns. EIP tracks 4 public exploits from researchers including ajayalf, thehash007, KKDT12138, including a Metasploit module exploits/unix/webapp/cyberpanel_preauth_rce_multi_cve. A Nuclei detection template is also available.

AI-analyzed exploit summary This is a functional Python exploit for CVE-2024-51567, a command injection vulnerability in CyberPanel's `upgrademysqlstatus` endpoint. It bypasses CSRF protections to achieve remote code execution (RCE) via shell metacharacters in the `statusfile` parameter.

Description

upgrademysqlstatus in databases/views.py in CyberPanel (aka Cyber Panel) before 5b08cd6 allows remote attackers to bypass authentication and execute arbitrary commands via /dataBases/upgrademysqlstatus by bypassing secMiddleware (which is only for a POST request) and using shell metacharacters in the statusfile property, as exploited in the wild in October 2024 by PSAUX. Versions through 2.3.6 and (unpatched) 2.3.7 are affected.

Exploits (4)

nomisec WORKING POC 5 stars
by ajayalf · remote
https://github.com/ajayalf/CVE-2024-51567

This is a functional Python exploit for CVE-2024-51567, a command injection vulnerability in CyberPanel's `upgrademysqlstatus` endpoint. It bypasses CSRF protections to achieve remote code execution (RCE) via shell metacharacters in the `statusfile` parameter.

Classification
Working Poc 95%
Attack Type
Rce
Complexity
Moderate
Reliability
Reliable
Target: CyberPanel through versions 2.3.6 and 2.3.7 (unpatched)
No auth needed
Prerequisites: Python 3 · httpx module · Target server running vulnerable CyberPanel version
devstral-2 · analyzed Feb 16, 2026 Full analysis →
nomisec WORKING POC 1 stars
by thehash007 · remote
https://github.com/thehash007/CVE-2024-51567-RCE-EXPLOIT

This exploit leverages a command injection vulnerability in CyberPanel's database upgrade endpoint by manipulating the 'statusfile' parameter. It bypasses CSRF protection and executes arbitrary commands via a crafted JSON payload.

Classification
Working Poc 95%
Attack Type
Rce
Complexity
Trivial
Reliability
Reliable
Target: CyberPanel (version not specified)
No auth needed
Prerequisites: Network access to the target CyberPanel instance · Python environment with httpx library
devstral-2 · analyzed Feb 16, 2026 Full analysis →
nomisec WORKING POC
by KKDT12138 · poc
https://github.com/KKDT12138/cve-2024-51567-poc

This PoC exploits a command injection vulnerability in CyberPanel versions 2.3.6 and 2.3.7 by bypassing CSRF protection and injecting commands via the 'statusfile' parameter in the 'upgrademysqlstatus' endpoint. It includes an interactive shell for command execution.

Classification
Working Poc 95%
Attack Type
Rce
Complexity
Moderate
Reliability
Reliable
Target: CyberPanel 2.3.6 and 2.3.7
No auth needed
Prerequisites: Target must be running vulnerable CyberPanel version · Network access to the target
devstral-2 · analyzed Feb 16, 2026 Full analysis →
metasploit WORKING POC EXCELLENT
by DreyAnd, Valentin Lobstein, Luka Petrovic (refr4g) · rubypoc
https://github.com/rapid7/metasploit-framework/blob/master/modules/exploits/unix/webapp/cyberpanel_preauth_rce_multi_cve.rb

This Metasploit module exploits three unauthenticated RCE vulnerabilities in CyberPanel (CVE-2024-51567, CVE-2024-51568, CVE-2024-51378) via command injection in different endpoints. It includes detection logic, CSRF token handling, and payload execution for Unix/Linux targets.

Classification
Working Poc 100%
Attack Type
Rce
Complexity
Moderate
Reliability
Reliable
Target: CyberPanel (versions affected by CVE-2024-51567, CVE-2024-51568, CVE-2024-51378)
No auth needed
Prerequisites: Network access to CyberPanel's web interface (port 8090 by default) · SSL/TLS support (default configuration)
devstral-2 · analyzed Jun 05, 2026 Full analysis →

Nuclei Templates (1)

CyberPanel v2.3.6 Pre-Auth Remote Code Execution
CRITICALVERIFIEDby DhiyaneshDK
Shodan: html:"CyberPanel"

References (8)

Core 8

Scores

CVSS v3 10.0
EPSS 0.9431
EPSS Percentile 100.0%
Attack Vector NETWORK
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H

CISA SSVC

Vulnrichment
Exploitation active
Automatable yes
Technical Impact total

Details

CISA KEV 2024-11-07
VulnCheck KEV 2024-10-29
InTheWild.io 2024-10-29
ENISA EUVD EUVD-2024-45733
Ransomware Use Confirmed
CWE
CWE-306
Status published
Products (1)
cyberpanel/cyberpanel < 2.3.8
Published Oct 29, 2024
KEV Added Nov 07, 2024
Tracked Since Feb 18, 2026