Over 22,000 CyberPanel instances exposed online to a critical remote code execution (RCE) vulnerability were mass-targeted in a PSAUX ransomware attack that took almost all instances offline.
This week, security researcher DreyAnd disclosed that CyberPanel 2.3.6 (and likely 2.3.7) suffers from three distinct security problems that can result in an exploit allowing unauthenticated remote root access without authentication.
Specifically, the researcher uncovered the following problems on CyberPanel version 2.3.6:
- Defective authentication: CyberPanel checks for user authentication (login) on each page separately instead of using a central system, leaving certain pages or routes, like ‘upgrademysqlstatus,’ unprotected from unauthorized access.
- Command injection: User inputs on unprotected pages aren’t properly sanitized, enabling attackers to inject and execute arbitrary system commands.
- Security filter bypass: The security middleware only filters POST requests, allowing attackers to bypass it using other HTTP methods, like OPTIONS or PUT.
The researcher, DreyAnd, developed a proof-of-concept exploit to demonstrate root-level remote command execution on the server, allowing him to take complete control of the server.
DreyAnd told BleepingComputer that he could only test the exploit on version 2.3.6 as he did not have access to the 2.3.7 version at the time. However, as 2.3.7 was released on September 19, before the bug was found, it was likely impacted as well.
The researcher said they disclosed the flaw to the CyberPanel developers on October 23, 2024, and a fix for the authentication issue was submitted later that evening on GitHub.
While anyone who installs CyberPanel from GitHub or through the upgrade process will get the security fix, the developers have not released a new version of the software or issued a CVE.
BleepingComputer has contacted CyberPanel to ask when they plan to release a new version or security announcement, but we are still awaiting their response.
Targeted in PSAUX ransomware attack
Yesterday, the threat intel search engine LeakIX reported that 21,761 vulnerable CyberPanel instances were exposed online, and nearly half (10,170) were in the United States.
However, overnight, the number of instances mysteriously dropped to only about 400 instances, with LeakIX telling BleepingComputer the impacted servers are no longer accessible.
Cybersecurity researcher Gi7w0rm tweeted on X that these instances managed over 152,000 domains and databases, for which CyberPanel acted as the central access and management system.
LeakIX has now told BleepingComputer that threat actors mass-exploited the exposed CyberPanel servers to install the PSAUX ransomware.
The PSAUX ransomware operation has been around since June 2024 and targets exposed web servers through vulnerabilities and misconfigurations.
When launched on a server, the ransomware will create a unique AES key and IV and use them to encrypt the files on a server.
The ransomware will also create ransom notes named index.html in every folder and copy the ransom note to /etc/motd, so it is shown when a user logs into the device.
When finished, the AES key and IV are encrypted using an enclosed RSA key and saved as /var/key.enc and /var/iv.enc.
LeakIX and Chocapikk obtained the scripts used in this attack, which include an ak47.py script for exploiting the CyberPanel vulnerability and another script named actually.sh to encrypt the files.
However, the ransomware script includes a critical mistake and used a private RSA key instead of a public key to encrypt the AES and IV files.
Ransomware expert Michael Gillespie told BleepingComputer that this private RSA can also be used to decrypt the encrypted AES and IV files, which can then be potentially used to recover the files for free.
Impacted CyberPanel servers should have a decryptor located in /var/decrypter.sh but it will likely need to be modified to decrypt servers correctly. If you have this file, please share a sample with BleepingComputer so we can determine if it can be modified to recover files.
Due to the active exploitation of the CyberPanel flaw, users are strongly advised to upgrade to the latest version on GitHub as soon as possible.