Over 22,000 CyberPanel Servers at Risk from Critical Vulnerabilities Exploitation by PSAUX Ransomware

CyberPanel, a widely used free web hosting control panel, was recently found to contain vulnerabilities that could allow unauthenticated remote code execution. The discovery was made by a security researcher known as DreyAnd. DreyAnd reported the vulnerabilities to CyberPanel developers, who released patches on October 23. A few days later, on October 27, the researcher publicly shared the technical details along with proof-of-concept (PoC) exploit code. LeakIX, a cybersecurity firm that scans the internet for exposed systems, began monitoring CyberPanel instances the following day. By October 29, it had already confirmed widespread exploitation of the vulnerabilities.
On October 28, LeakIX identified approximately 22,000 online CyberPanel instances, nearly half of which were based in the United States. By the next day, that number had dropped to just a few hundred—not due to patching, but because many of the instances had been hacked and taken offline. It is estimated that the 20,000 compromised CyberPanel instances affected around 200,000 websites.
Further analysis revealed that attackers exploited these vulnerabilities in Psaux ransomware campaigns, encrypting files on compromised servers and demanding a ransom for decryption. The latest update from LeakIX indicates that up to three different ransomware groups have been actively targeting CyberPanel instances, with some even encrypting files that had already been locked by previous ransomware attacks.