cbcvebase.
CVE-2012-2982
published 2012-09-11

CVE-2012-2982: file/show.cgi in Webmin 1.590 and earlier allows remote authenticated users to execute arbitrary commands via an invalid character in a pathname, as…

PriorityP259medium6.5CVSS 2.0
AVNACLAuSCPIPAP
EXPLOIT
EPSS
61.92%
99.1th percentile
file/show.cgi in Webmin 1.590 and earlier allows remote authenticated users to execute arbitrary commands via an invalid character in a pathname, as demonstrated by a | (pipe) character.

Affected

39 ranges· showing 25
VendorProductVersion rangeFixed in
gentoowebmin<= 1.590
gentoowebmin
gentoowebmin
gentoowebmin
gentoowebmin
gentoowebmin
gentoowebmin
gentoowebmin
gentoowebmin
gentoowebmin
gentoowebmin
gentoowebmin
gentoowebmin
gentoowebmin
gentoowebmin
gentoowebmin
gentoowebmin
gentoowebmin
gentoowebmin
gentoowebmin
gentoowebmin
gentoowebmin
gentoowebmin
gentoowebmin
gentoowebmin

Detection & IOCsextracted from sources · hover to see the quote

path/file/show.cgi
url/file/show.cgi/bin/<rand>|<command>|
port10000
cookiesid=<session_id>
  • Detect exploitation attempts by inspecting HTTP GET requests to /file/show.cgi containing a pipe character '|' in the URI path, which is the injection vector for arbitrary command execution.
  • Monitor for POST requests to /session_login.cgi followed immediately by a GET to /file/show.cgi/bin/<random>|<command>| on port 10000 (default Webmin port), indicating automated exploitation (e.g., Metasploit module).
  • Alert on HTTP 302 responses from /session_login.cgi that set a 'sid' cookie, followed by requests to /file/show.cgi containing pipe characters — this two-step pattern is the full exploit authentication + execution flow.
  • Flag HTTP 200 responses from /file/show.cgi with message body matching 'Document follows', as this indicates successful command execution by the exploit.
  • The exploit requires an authenticated session with access to the File Manager Module; monitor for privilege escalation to root from Webmin file manager sessions.
  • ·Exploitation requires valid Webmin credentials (authenticated attack); unauthenticated access alone is insufficient to trigger the vulnerability.
  • ·The Metasploit module defaults to SSL on port 10000; detections should account for TLS-encrypted traffic on this port when deploying network-based signatures.
  • ·The vulnerability affects Webmin 1.590 and earlier (module tested on 1.580); versions above 1.590 are not affected by this specific code path.
CVEs like this are exactly what “Exploited This Week” covers.

Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.