CyberPanel also added that they reviewed the findings and released a security patch “within 30 minutes”, since rolling them out through routine updates.
zero-day allowing server takeover
In the security announcement, CyberPanel said it had already included patches through routine updates immediately after the flaws were brought to their notice. However, knowing the patches were supplied secretly, it is understandable that so many devices remained in an N-day state.
Cybersecurity researcher DreyAnd, credited with the discovery of the vulnerabilities, first went public on October 27, sharing proof of concept (PoC) exploits for the flaws. The demonstration included missing authentication, command injection, and security filter bypass to effect a complete server takeover through root-level remote code execution (RCE).