The PSAUX ransomware has seen exploiting CyberPanel vulnerabilities affects versions 2.3.6 and 2.3.7 and permits unauthenticated attackers to gain root access, enabling complete control over affected systems.
The vulnerabilities are tracked as CVE-2024-51567, CVE-2024-51568, and CVE-2024-51378, each with a CVSS v3.1 score of 10, to compromise servers and deploy PSAUX ransomware. These vulnerabilities, allows unauthenticated remote root access.
- CVE-2024-51567: This vulnerability lies in the upgrademysqlstatus function within CyberPanel’s databases/views.py. By bypassing security middleware and leveraging shell metacharacters in the statusfile property, attackers gain remote command execution capability.
- CVE-2024-51568: This vulnerability is a command injection via completePath in the ProcessUtilities.outputExecutioner() function. Attackers can execute arbitrary commands through file upload in the File Manager, achieving remote code execution without authentication.
- CVE-2024-51378: This vulnerability affects the getresetstatus function in dns/views.py and ftp/views.py. Like the others, it allows remote command execution by bypassing the middleware, making it a high-risk flaw.
Threat intelligence from LeakIX, revealed that 21,761 exposed CyberPanel instances were online as of October 26, with nearly half located in the United States. These instances collectively managed over 152,000 domains and databases, forming a massive target for ransomware operators.
Cybersecurity researcher DreyAnd, credited with the discovery of the vulnerabilities, first went public on October 27, sharing proof of concept (PoC) exploits for the flaws. The demonstration included missing authentication, command injection, and security filter bypass to affect a complete server takeover through root-level remote code execution (RCE).
The PSAUX ransomware, which first surfaced in June 2024, is designed to infiltrate web servers through both vulnerabilities and configuration weaknesses. Upon exploitation, PSAUX performs the following malicious actions not limited to Encrypting using AES Keys and RSA encryption of the AES Keys with initialization Vector (IV) and displays the ransom note index.html
This attack leveraged specialized scripts, including ak47.py for exploiting CyberPanel’s vulnerabilities and actually.sh for file encryption.
In response to the attack, LeakIX released a decryptor for PSAUX-encrypted files. However, administrators are cautioned to exercise care: the decryptor success relies on the ransomware operators’ use of known encryption keys. If an incorrect decryption key is applied, it could result in irreversible data loss. Users are advised to create backups before attempting decryption.
On October 29, CyberPanel issued an official statement acknowledging the vulnerabilities, crediting the researchers for their rapid reporting, and detailing remediation steps for affected users:
CyberPanel users are strongly urged to update their installations to the latest patched versions available on GitHub.
Pingback: Critical CyberPanel Vulnerability (CVE-2024-51378): How to Stay Protected - F1TYM1