On October 23, 2024 a security researcher disclosed a security flaw in CyberPanel. Which allow UN-authenticated users to get access to your server. On the same day within 30 minutes we’ve released patch and pushed it to Github.
Now some people believe that we’ve pushed the commit to Github, but we did not made a release. However, CyberPanel updates and installs are made directly from Github, so once the commits are pushed they were available for everyone to install (which is with-in 30 minutes).
That specific commit can be seen here: https://github.com/usmannasir/cyberpanel/commit/5b08cd6d53f4dbc2107ad9f555122ce8b0996515
Once the commits were pushed, all our users get a notice on their CyberPanel version management page that they need to upgrade CyberPanel to get to latest commit.
We informed the security researcher that we would wait a few days before sending out an email blast and making social media announcements to give users time to upgrade, minimizing the chance for bad actors to learn about the hack and start exploiting our users’ servers.
On October 29, 2024 we sent an email blast along with social media announcements.
Get exclusive access to all things tech-savvy, and be the first to receive
the latest updates directly in your inbox.
Our Apology
We understand that incidents like these can lead to a loss of trust in a product. However, we assure you that, as an open-source platform, CyberPanel has undergone extensive scrutiny by numerous researchers, making it highly secure and reliable.
Many of our users have offered to pay us to fix their servers, but since this issue was our mistake, we’ve been restoring countless servers free of charge. We’re still working around the clock to assist anyone in need, at no cost.
We sincerely apologize for any inconvenience this may have caused. We’re here to help—feel free to reach out anytime by emailing us at: [email protected]
Code Review – After Math
After the incident, we thoroughly reviewed the entire codebase and identified a few security issues that, while requiring user access to exploit, have also been addressed with a fix.
Please note that these issues are not pre-authentication vulnerabilities; they require authenticated access to exploit. Nevertheless, we strongly recommend upgrading your servers as soon as possible.
Some helpful tips and resources from the community and our team to help you recover your servers
For encrypted servers: https://gist.github.com/gboddin/d78823245b518edd54bfc2301c5f8882?fbclid=IwY2xjawGUGDNleHRuA2FlbQIxMAABHYDLjcufif4mubn-SaIhkv-JglRE-bIHaC0UIfA6wYQTyXxMMcyAbrroAw_aem_EN97GLassluhQYT3UCLXtg#file-0-decrypt-sh
Manually applying patch: https://community.cyberpanel.net/t/manually-applying-the-patch-via-rescue-mode/56126
If you are facing issues with updates here is a guide as well.
We will continue reviewing the code while assisting users to help everyone through this challenging time. Since CyberPanel is open-source, our team is small, but we’re doing our best to support as many users as possible. We apologize if our response time is slow and appreciate your patience.
