CyberPanel 2.1 - Remote Code Execution (RCE)

I have a lot of issues due to this exploit. My websites are getting totally destroyed one by one.
Does anyone know how to prevent this?

Seems very high danger!

Hope we will get a fix soon.

Find this youtube Video showing the attack:

Seems to me a user login is needed to attack the system. So “workaround” until a patch is to close the login for all users.

I recommend to switch port of the admin backend or maybe a classic .htaccess password protection in front of the login page. Or: close the admin port (:8090) by csf Firewall rule for all except your admin ip. You can do this by ssh connection.

Sorry, only my first thoughts on how to secure things…

Ok, it´s not the solution of the problem, but first aid undtil fix is outcoming.
As descibed above this is how to secure your backend port:

  1. You have to install and activate CSF

  2. ssh as root to your machine

  3. edit /etc/csf/csf.allow

  4. Enter your (fix) ip to it (it´s because you need still access to your backend from your ip)

  5. edit /etc/csf/csf.ignore

  6. enter your IP too to this file

  7. edit /etc/csf/csf.con file

  8. find inside the file the line starting with TCP_IN

  9. delete the admin pot from this line (8090)

  10. find inside the file the line starting with TCP_OUT and delete the admin port too (8090)

  11. save the file

  12. restart csf by systemctl restart csf
    12)restart lfd by systemctl restart lfd

After this you should be able to still connect to your admin backend from your own IP, but anyone else will not be able to connect to the login page

Wait fpr the cybepanel team to fix this issue

You maybe using old cyberpanel version. Its all solved as soon as reported back in August 2021. Please update your cyberpanel to get the fixes.

1 Like