U.S. Cybersecurity and Infrastructure Security Agency (CISA) adds CyberPanel flaw to its Known Exploited Vulnerabilities catalog.———————————————————————————————————————————The U.S. Cybersecurity and Infrastructure Security Agency (CISA) added the CyberPanel flaw [CVE-2024-51378](https://www.cve.org/CVERecord?id=CVE-2024-51378) (CVSS score: 10.0) to its [Known Exploited Vulnerabilities (KEV) catalog](https://www.cisa.gov/known-exploited-vulnerabilities-catalog).The **`getresetstatus` vulnerability** in **CyberPanel** (before commit `1c0c6cb`) affects **`dns/views.py`** and **`ftp/views.py`** . Remote attackers could bypass authentication and execute arbitrary commands by exploiting a flaw in **`secMiddleware`** , which only validates POST requests. Attackers can manipulate the **`statusfile`** property with shell metacharacters.’getresetstatus in dns/views.py and ftp/views.py in CyberPanel (aka Cyber Panel) before 1c0c6cb allows remote attackers to bypass authentication and execute arbitrary commands via /dns/getresetstatus or /ftp/getresetstatus by bypassing secMiddleware (which is only for a POST request) and using shell metacharacters in the statusfile property, as exploited in the wild in October 2024 by PSAUX.’ [reads the advisory](https://www.cve.org/CVERecord?id=CVE-2024-51378).This vulnerability impacts versions up to 2.3.6 and the unpatched 2.3.7.The vulnerability was exploited in a large-scale hacking campaign that targeted more than 22,000 CyberPanel instances. The attack aimed at deploying the PSAUX ransomware attack.*’the threat intel search engine [LeakIX reported](https://x.com/leak_ix/status/1850908887668465828) that 21,761 vulnerable CyberPanel instances were exposed online, and nearly half (10,170) were in the United States.’ [reported](https://www.bleepingcomputer.com/news/security/massive-psaux-ransomware-attack-targets-22-000-cyberpanel-instances/) Bleeping Computer. ‘LeakIX has now told BleepingComputer that threat actors mass-exploited the exposed CyberPanel servers to install the [PSAUX ransomware](https://www.bleepingcomputer.com/forums/t/799728/psauxeject/).’*The PSAUX ransomware operation has been active since June 2024, the threat actors exploit vulnerabilities and misconfigurations in exposed web servers to carry out attacks.According to [Binding Operational Directive (BOD) 22-01: Reducing the Significant Risk of Known Exploited Vulnerabilities](https://cyber.dhs.gov/bod/22-01/), FCEB agencies have to address the identified vulnerabilities by the due date to protect their networks against attacks exploiting the flaws in the catalog.Experts also recommend private organizations review the [Catalog](https://www.cisa.gov/known-exploited-vulnerabilities-catalog) and address the vulnerabilities in their infrastructure.CISA orders federal agencies to fix this vulnerability by December 25, 2024.Follow me on Twitter: [**@securityaffairs**](https://twitter.com/securityaffairs) and [**Facebook**](https://www.facebook.com/sec.affairs) and [Mastodon](https://infosec.exchange/@securityaffairs)[**Pierluigi Paganini**](http://www.linkedin.com/pub/pierluigi-paganini/b/742/559)**(** [**SecurityAffairs**](http://securityaffairs.co/wordpress/)**–** **hacking, CISA [Known Exploited Vulnerabilities catalog](https://securityaffairs.com/tag/cisa-adds-veritas-backup-exec-flaws-to-its-known-exploited-vulnerabilities-catalog))**
Related Tags:
NAICS: 921 – Executive
Legislative
Other General Government Support
NAICS: 54 – Professional
Scientific
Technical Services
NAICS: 519 – Web Search Portals
Libraries
Archives
Other Information Services
NAICS: 541 – Professional
Scientific
Technical Services
NAICS: 52 – Finance And Insurance
NAICS: 518 – Computing Infrastructure Providers
Data Processing
Web Hosting
Related Services
NAICS: 92 – Public Administration
NAICS: 516 – Broadcasting And Content Providers
NAICS: 522 – Credit Intermediation And Related Activities
Associated Indicators: