The U.S. Cybersecurity and Infrastructure Security Agency (CISA) added the CyberPanel flaw CVE-2024-51378 (CVSS score: 10.0) to its Known Exploited Vulnerabilities (KEV) catalog.
The getresetstatus vulnerability in CyberPanel allows remote attackers to bypass authentication and execute arbitrary commands by exploiting a flaw in secMiddleware.
The vulnerability impacted versions up to 2.3.6 and the unpatched 2.3.7, and was exploited in a large-scale hacking campaign targeting over 22,000 CyberPanel instances.
CISA has ordered federal agencies to fix this vulnerability by December 25, 2024.