Remote Code Execution Vulnerability in CyberPanel
IONIX Tracks CyberPanel Remote Code Execution (no CVE yet) – See if You’re Impacted
This post is based on ongoing security research – and will continue to be updated as we get additional information…
In this article
What is CyberPanel?
CyberPanel is a free and open-source control panel for Linux servers, designed to simplify web hosting and server management tasks.
CyberPanel RCE
A recent vulnerability was discovered in CyberPanel, allowing an easy remote code execution on the affected machines. The vulnerability is known to be exploited in the wild and an exploit is publicly available. According to an article on DreyAnd, “This lead to a 0-click pre-auth root RCE on the latest version (2.3.6 as of now). It’s currently still “unpatched”, as in, the maintainers have been notified, a patch has been done but still waiting for the CVE & for the fix to make the make it to he main release.”
We recommend upgrading to the latest version available in Github (patch is referenced). IONIX customers will find impacted assets easily identified in the threat center of the IONIX portal.
From the CyberPanel website:
“Recently, two security experts contacted us about a code-level vulnerability in CyberPanel. Specifically, we missed a condition in the code that could expose certain server details valuable to hackers.
NOTE: We’re not sharing the exact location of the vulnerability to avoid exposing servers that still need updating.
When the experts informed us about the issue, we immediately reviewed their findings and released a security patch within 30 minutes. If the experts are reading this, they know how swiftly we acted. They later advised us to announce this issue publicly, but we requested to hold off to allow users time to update for security reasons. Though we didn’t initially announce it, a routine update included the security patch.
Unfortunately, the information was revealed on a third-party site, leading to concerns among our users.”
References
What Are My OPTIONS? CyberPanel v2.3.6 pre-auth RCE DreyAnd’s Web Security Blog where the vulnerability was identified.
Github patch
CyberPanel blog with additional information on the exposure.