Few months ago I was assigned to do a pentest on a target running CyberPanel. It seemed to be installed by default by some VPS providers & it was also sponsored by Freshworks.
I was clueless on how to pwn the target as the functionalities were very limited, so I thought about it differently, let’s just find a 0day ¯\_(ツ)_/¯ .
This lead to a 0-click pre-auth root RCE on the latest version (2.3.6 as of now).It’s currently still “unpatched”, as in, the maintainers have been notified, a patch has been done but still waiting for the CVE & for the fix to make the make it to he main release. Update as of October 30, two CVEs have been assigned:
CVE-2024-51567
CVE-2024-51568
Along a security announcement from the maintainers.
. You can find the patch commit at https://github.com/usmannasir/cyberpanel/commit/5b08cd6d53f4dbc2107ad9f555122ce8b0996515 .
I also did a large scale scan on bug bounty programs and a couple hosts were affected – thanks iustin for helping out!
https://dreyand.rs/code/review/2024/10/27/what-are-my-options-cyberpanel-v236-pre-auth-rce
