CVE-2024-51568

high-risk
Published 2024-10-29

CyberPanel (aka Cyber Panel) before 2.3.5 allows Command Injection via completePath in the ProcessUtilities.outputExecutioner() sink. There is /filemanager/upload (aka File Manager upload) unauthenticated remote code execution via shell metacharacters.

Do I need to act?

!
93.0% chance of exploitation in next 30 days
EPSS score — higher than 7% of all CVEs
-
Not on CISA KEV list
No confirmed active exploitation reported to CISA
?
Patch status unknown
Check vendor advisories for fix availability and mitigation guidance
10
CVSS 10.0/10 Critical
NETWORK / LOW complexity

Affected Products (1)

Affected Vendors

Cyberpanel

References (4)

Product https://cwe.mitre.org/data/definitions/78.html
Release Notes https://cyberpanel.net/KnowledgeBase/home/change-logs/
Release Notes https://cyberpanel.net/blog/cyberpanel-v2-3-5
Exploit https://dreyand.rs/code/review/2024/10/27/what-are-my-options-cyberpanel-v236-pr...
58
/ 100
high-risk
Severity 33/34 · Critical
Exploitability 20/34 · Moderate
Exposure 5/34 · Minimal