CVE-2024-51567 — AI Deep Analysis Summary

🚨 **Essence**: Critical Remote Code Execution (RCE) in CyberPanel. 📉 **Consequences**: Attackers gain full control over the server, leading to data theft, ransomware deployment, or system destruction.…

🛡️ **Root Cause**: Command Injection + CSRF Bypass. 💥 **Flaw**: The `upgrademysqlstatus` endpoint in `databases/views.py` fails to properly sanitize the `statusfile` parameter.…

🎯 **Affected**: CyberPanel versions **v2.3.6** and **v2.3.7** (unpatched). 📦 **Component**: The `upgrademysqlstatus` API endpoint. If you are running these versions, you are in the danger zone!

💀 **Privileges**: Remote attackers can execute **arbitrary commands** with the privileges of the web server process.…

⚡ **Threshold**: Extremely Low. 🔓 **Auth**: No authentication required (Pre-Auth). 🌐 **Network**: Accessible over the network (AV:N). You don’t even need a password to trigger this exploit!

🔥 **Exploit Status**: YES, Public PoCs exist on GitHub. 🌍 **Wild Exploitation**: Actively exploited in the wild by the **PSAUX** ransomware group targeting ~22,000 instances. Do not wait!

🔍 **Self-Check**: Scan for the endpoint `/dataBases/upgrademysqlstatus`. Use Nuclei templates or the provided Python PoCs to test if the CSRF token bypass works.…

🛠️ **Fix**: Upgrade to a version **after** commit `5b08cd6`. The vendor has acknowledged the issue. Check the official CyberPanel changelogs for the patched release. Immediate update is non-negotiable.

🚧 **Workaround**: If you can't patch immediately, **block external access** to the `/dataBases/` directory via WAF or firewall rules. Disable the endpoint if possible. This is a temporary band-aid, not a cure!

🚨 **Urgency**: CRITICAL (Priority 1). ⏳ **Time**: Act NOW. With active ransomware campaigns exploiting this, every minute counts. Patch immediately or isolate the server to prevent catastrophic data loss.