CyberPanel v2.3.6 RCE & Ransomware Campaign
Over 22,000 CyberPanel instances exposed online to a critical remote code execution (RCE) vulnerability were mass-targeted in a PSAUX ransomware attack that took almost all instances offline.
This week, security researcher DreyAnd disclosed that CyberPanel 2.3.6 (and likely 2.3.7) suffers from three distinct security problems that can result in an exploit allowing unauthenticated remote root access without authentication.
Specifically, the researcher uncovered the following problems on CyberPanel version 2.3.6:
Defective authentication: CyberPanel checks for user authentication (login) on each page separately instead of using a central system, leaving certain pages or routes, like ‘upgrademysqlstatus,’ unprotected from unauthorized access. Command injection: User inputs on unprotected pages aren’t properly sanitized, enabling attackers to inject and execute arbitrary system commands. Security filter bypass: The security middleware only filters POST requests, allowing attackers to bypass it using other HTTP methods, like OPTIONS or PUT.
https://dreyand.rs/code/review/2024/10/27/what-are-my-options-cyberpanel-v236-pre-auth-rce (archive)
https://www.bleepingcomputer.com/news/security/massive-psaux-ransomware-attack-targets-22-000-cyberpanel-instances/ (archive)
Decryptor for those infected with PSAUX can be found at https://gist.github.com/gboddin/d78823245b518edd54bfc2301c5f8882#file-0-decrypt-sh (archive)
Keep in mind its experimental, so make backups.