#VU99595 Improper authentication in CyberPanel
Vulnerability identifier: #VU99595
Vulnerability risk: Critical
CVSSv3.1: 9.5 [CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H/E:H/RL:O/RC:C]
CVE-ID:
CWE-ID:
CWE-287
Exploitation vector: Network
Exploit availability: Yes
Vulnerable software:
CyberPanel
Web applications /
Remote management & hosting panels
Vendor: CyberPanel
Description
The vulnerability allows a remote attacker to bypass authentication process.
The vulnerability exists due to improper authentication within upgrademysqlstatus in databases/views.py. A remote non-authenticated attacker can send a specially crafted HTTP POST request to the /dataBases/upgrademysqlstatus endpoint, bypass authentication and execute arbitrary OS commands on the system.
Note, the vulnerability is being actively exploited in the wild.
Mitigation
Install update from vendor's repository.
Vulnerable software versions
CyberPanel: 1.7.2 - 2.3.7
External links
http://dreyand.rs/code/review/2024/10/27/what-are-my-options-cyberpanel-v236-pre-auth-rce
http://github.com/usmannasir/cyberpanel/commit/5b08cd6d53f4dbc2107ad9f555122ce8b0996515
http://cyberpanel.net/blog/detials-and-fix-of-recent-security-issue-and-patch-of-cyberpanel
http://www.bleepingcomputer.com/news/security/massive-psaux-ransomware-attack-targets-22-000-cyberpanel-instances/
http://x.com/leak_ix/status/1851608316130025856
Q & A
Can this vulnerability be exploited remotely?
Yes. This vulnerability can be exploited by a remote non-authenticated attacker via the Internet.
Is there known malware, which exploits this vulnerability?
Yes. This vulnerability is being exploited in the wild.
