Unrated severityCISA KEVNVD Advisory· Published Oct 29, 2024· Updated Oct 21, 2025

CVE-2024-51378

Description

getresetstatus in dns/views.py and ftp/views.py in CyberPanel (aka Cyber Panel) before 1c0c6cb allows remote attackers to bypass authentication and execute arbitrary commands via /dns/getresetstatus or /ftp/getresetstatus by bypassing secMiddleware (which is only for a POST request) and using shell metacharacters in the statusfile property, as exploited in the wild in October 2024 by PSAUX. Versions through 2.3.6 and (unpatched) 2.3.7 are affected.

Affected products

CyberPanel/CyberPaneldescription

Patches

No patches discovered yet.

Vulnerability mechanics

AI mechanics synthesis has not run for this CVE yet.

References

cwe.mitre.org/data/definitions/420.htmlmitre
cwe.mitre.org/data/definitions/78.htmlmitre
cyberpanel.net/KnowledgeBase/home/change-logs/mitre
cyberpanel.net/blog/detials-and-fix-of-recent-security-issue-and-patch-of-cyberpanelmitre
github.com/usmannasir/cyberpanel/commit/1c0c6cbcf71abe573da0b5fddfb9603e7477f683mitre
refr4g.github.io/posts/cyberpanel-command-injection-vulnerability/mitre
www.bleepingcomputer.com/news/security/massive-psaux-ransomware-attack-targets-22-000-cyberpanel-instances/mitre

News mentions

No linked articles in our index yet.

cvss	0.000
epss	0.075
exploit	0.030
kev	0.120
patch	0.000
ransomware	0.060