22,000 servers ransomed in days: the CyberPanel control-panel wipeout
Two CVSS-10 pre-auth RCEs in CyberPanel let the PSAUX ransomware crew encrypt roughly 22,000 internet-exposed servers in late October 2024. Hosting control panels run as root and face the internet by design, which is exactly why one bug becomes a fleet-wide event.
In late October 2024, the PSAUX ransomware operation encrypted on the order of 22,000 CyberPanel servers in a matter of days, out of roughly 60,000 internet-exposed instances. The entry point was a pair of pre-authentication remote-code-execution flaws, CVE-2024-51378 and CVE-2024-51567, both rated CVSS 10.0. CyberPanel is an open-source web hosting control panel, the dashboard that manages websites, databases, DNS, email, and FTP on a server, and like every control panel of its kind, it runs with high privileges and is exposed to the internet by design. That combination is why a single bug class turned into a mass-extinction event.
The bugs
Both flaws follow the same pattern: an attacker reaches a CyberPanel endpoint that should be protected, bypasses the secMiddleware authentication layer (certain endpoints weren’t covered by it), and injects shell metacharacters into a parameter that flows into a command, achieving unauthenticated command execution as root.
- CVE-2024-51378 abuses the
getresetstatusendpoint (/dns/getresetstatus,/ftp/getresetstatus), bypassing the middleware and injecting commands via thestatusfileproperty. - CVE-2024-51567 abuses
upgrademysqlstatus(/dataBases/upgrademysqlstatus) the same way.
A closely-related issue, CVE-2024-51568, rounds out the set. CISA added the CyberPanel bugs with the ransomware flag. The exploitation was near-immediate and automated, which is how PSAUX hit tens of thousands of servers so fast.
Why control panels are mass-exploitation machines
Hosting control panels, CyberPanel, and the broader category, share the properties that make a vulnerability catastrophic at scale:
- They run as root. The panel manages the whole server, so its code runs with the highest privileges. RCE in the panel is root on the box, no escalation needed.
- They’re internet-facing by design. A control panel exists to be reached remotely, so the vulnerable web interface is exposed to anyone who can find it, and they’re trivially found by mass scanning.
- They hold everything on the server. Websites, databases, customer data, email. Encrypting or stealing it is one action away from control of the panel.
- They’re run by people without security teams. Small hosts, agencies, and individuals run these to avoid managing servers by hand, which means low patch discipline and no monitoring, exactly the population a smash-and-grab ransomware crew wants.
The result is a large, uniform, exposed, high-privilege target population, and the disclosure-to-mass-exploitation window collapses to days because the exploit is simple and the targets are everywhere.
What to do
- Patch CyberPanel immediately to a version past 2.3.7 with the fixes. Given pre-auth RCE and active ransomware exploitation, this is emergency-grade.
- Take the control panel off the open internet. Restrict the management interface to known IPs or put it behind a VPN. A control panel reachable only from your admin network can’t be mass-scanned and exploited. This is the single highest-value control.
- Assume compromise on any exposed, unpatched instance from October 2024 onward. PSAUX moved fast and broadly. Check for the ransomware, web shells, unexpected root processes, and tampering, and restore from known-good offline backups rather than trusting the server.
- Keep offline backups of the data the panel manages. As with NAS and backup-server ransomware, the recovery path is an offline/immutable copy the attacker can’t reach.
- Reduce reliance on internet-exposed panels generally. Where you can, manage servers through hardened, access-controlled channels rather than a public web panel running as root.
The reframe is to treat hosting control panels as among the highest-risk internet-facing software you can run, because they combine root privileges, internet exposure, and an owner population that rarely patches. CyberPanel’s 22,000-server PSAUX event is the demonstration: a simple auth-bypass-to-RCE on a panel that faces the world and runs as root becomes a fleet-wide ransomware wave in days. Patch it, get it off the internet, and keep offline backups, because for this class the attack arrives fast and at scale. We flag the control-panel entries because one of these bugs doesn’t produce one victim; it produces tens of thousands.
Sources
Share
Related field notes
-
A soft hyphen reopened a bug PHP closed in 2012
CVE-2024-4577 is a patch bypass of a 12-year-old PHP-CGI flaw. The 2012 fix sanitized the input. Windows then helpfully rewrote a soft hyphen back into a real one, after the check, and handed the attacker their command-line argument anyway.
-
Your attack surface isn't just port 443
CVE-2023-46604 is a perfect-10 RCE in Apache ActiveMQ. The exploit isn't a web request; it's a single message to the broker on port 61616, a port most web-focused scanning and firewalling never considers. The broker then fetches a remote XML file and runs whatever's in it.
-
Adobe ColdFusion has been getting popped the same ways for 15 years
The KEV catalog holds a long run of ColdFusion bugs: deserialization RCEs, access-control bypasses, and file uploads, from 2013 to 2024. Different CVEs, same handful of weaknesses. If you still run internet-facing ColdFusion, you're operating a perennial target.
One email, every weekday morning.
You're in. Check your inbox.