CVE-2024-51568

CRITICAL EXPLOITED RANSOMWARE NUCLEI

CyberPanel <2.3.5 - Command Injection

Title source: llm

Exploitation Summary

CVE-2024-51568 has been observed exploited in the wild (reported by VulnCheck KEV), including in ransomware campaigns. EIP tracks 2 public exploits from researchers including jsnv-dev, DreyAnd, Valentin Lobstein, Luka Petrovic (refr4g), including a Metasploit module exploits/unix/webapp/cyberpanel_preauth_rce_multi_cve. A Nuclei detection template is also available.

AI-analyzed exploit summary This repository provides a Nuclei template and proof-of-concept environment for CVE-2024-51568, a critical pre-authentication command injection vulnerability in CyberPanel v2.3.4. The exploit targets the `/filemanager/upload` endpoint via the `completePath` parameter, enabling remote code execution with root privileges.

Description

CyberPanel (aka Cyber Panel) before 2.3.5 allows Command Injection via completePath in the ProcessUtilities.outputExecutioner() sink. There is /filemanager/upload (aka File Manager upload) unauthenticated remote code execution via shell metacharacters.

Exploits (2)

nomisec WORKING POC 1 stars

by jsnv-dev · remote

https://github.com/jsnv-dev/CVE-2024-51568---CyberPanel-Command-Injection-Nuclei-Template

View Code ZIP pw:eip

This repository provides a Nuclei template and proof-of-concept environment for CVE-2024-51568, a critical pre-authentication command injection vulnerability in CyberPanel v2.3.4. The exploit targets the `/filemanager/upload` endpoint via the `completePath` parameter, enabling remote code execution with root privileges.

Classification

Working Poc 95%

Attack Type

Rce

Complexity

Trivial

Reliability

Reliable

Target: CyberPanel v2.3.4

No auth needed

Prerequisites: Access to the target's `/filemanager/upload` endpoint · Nuclei installed for template execution

MITRE ATT&CK

T1190 - Exploit Public-Facing Application T1203 - Exploitation for Client Execution

devstral-2 · analyzed Feb 16, 2026 Full analysis →

metasploit WORKING POC EXCELLENT

by DreyAnd, Valentin Lobstein, Luka Petrovic (refr4g) · rubypoc

https://github.com/rapid7/metasploit-framework/blob/master/modules/exploits/unix/webapp/cyberpanel_preauth_rce_multi_cve.rb

View Code ZIP pw:eip

This Metasploit module exploits three unauthenticated RCE vulnerabilities in CyberPanel (CVE-2024-51567, CVE-2024-51568, CVE-2024-51378) via command injection in different endpoints. It includes detection logic, CSRF token handling, and payload execution for Unix/Linux targets.

Classification

Working Poc 100%

Attack Type

Rce

Complexity

Moderate

Reliability

Reliable

Target: CyberPanel (versions affected by CVE-2024-51567, CVE-2024-51568, CVE-2024-51378)

No auth needed

Prerequisites: Network access to CyberPanel instance (default port 8090) · SSL enabled by default

MITRE ATT&CK

T1190 - Exploit Public-Facing Application T1059 - Command and Scripting Interpreter T1203 - Exploitation for Client Execution

devstral-2 · analyzed Jun 05, 2026 Full analysis →

Nuclei Templates (1)

CyberPanel - Command Injection

CRITICALVERIFIEDby s4e-io

Shodan: http.html:"login to your cyberpanel account"

References (4)

Core 4

Core References

Product

https://cwe.mitre.org/data/definitions/78.html

Release Notes

https://cyberpanel.net/KnowledgeBase/home/change-logs/

Release Notes

https://cyberpanel.net/blog/cyberpanel-v2-3-5

Exploit, Third Party Advisory

https://dreyand.rs/code/review/2024/10/27/what-are-my-options-cyberpanel-v236-pre-auth-rce

Scores

CVSS v3 10.0

EPSS 0.4568

EPSS Percentile 98.6%

Attack Vector NETWORK

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H

CISA SSVC

Vulnrichment

Exploitation none

Automatable yes

Technical Impact total

Details

VulnCheck KEV 2024-10-29

Ransomware Use Confirmed

CWE

CWE-78

Status published

Products (1)

cyberpanel/cyberpanel < 2.3.5

Published Oct 29, 2024

Tracked Since Feb 18, 2026