CVE-2019-12840
published 2019-06-15CVE-2019-12840: In Webmin through 1.910, any user authorized to the "Package Updates" module can execute arbitrary commands with root privileges via the data parameter to…
PriorityP182high8.8CVSS 3.0
AVNACLPRLUINSUCHIHAH
EXPLOIT
EPSS
77.81%
99.5th percentile
In Webmin through 1.910, any user authorized to the "Package Updates" module can execute arbitrary commands with root privileges via the data parameter to update.cgi.
Affected
2 ranges
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| webmin | webmin | <= 1.962 | — |
| webmin | webmin | <= 1.910 | — |
Detection & IOCsextracted from sources · hover to see the quote
commandredir=%2E%2E%2Fsquid%2F&redirdesc=Squid%20Proxy%20Server&mode=new&u=squid34%0A%7C#{payload}%26%26↗
- →Look for the cookie value 'testing=1' in HTTP requests to Webmin's session_login.cgi — this is a hardcoded value used by the Metasploit exploit module to bypass the 'Error - No cookies' check. ↗
- →Monitor POST requests to /package-updates/update.cgi with a Referer header of /package-updates/?xnavigation=1 and body data containing URL-encoded pipe (%7C), newline (%0A), or double-ampersand (%26%26) sequences. ↗
- →Detect the bypass payload pattern in POST body: 'u=' parameter containing %0A%7C (newline + pipe) followed by base64-encoded content and %26%26, targeting the incomplete fix for CVE-2019-12840. ↗
- →Alert on HTTP traffic to Webmin (default port 10000) where POST body to update.cgi contains the string 'ok_top=Update+Selected+Packages' alongside a second 'u=' parameter with a space-pipe pattern (%20%7C%20), indicating the original CVE-2019-12840 injection vector. ↗
- →Detect use of bash brace-expansion payload delivery pattern in HTTP POST bodies: {echo,<base64>}|{base64,-d}|{bash,-i}, which is the shell execution technique used by the exploit. ↗
- →Restricting access to the 'Package Updates' module is the only mitigation for CVE-2019-12840; monitor for unauthorized users accessing /package-updates/ path on Webmin. ↗
- ·The Metasploit module defaults to non-SSL on port 10000; deployments using SSL or non-default ports require adjusted detection rules. ↗
CVSS provenance
nvdv3.08.8HIGHCVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
nvdv2.09.0CRITICALAV:N/AC:L/Au:S/C:C/I:C/A:C
CVEs like this are exactly what “Exploited This Week” covers.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
GHSA
GHSA-vq42-23mp-rqh2: Arbitrary command execution can occur in Webmin through 1
ghsa_unreviewed·2022-05-24·CVSS 8.8
CVE-2020-35606 [HIGH] CWE-77 GHSA-vq42-23mp-rqh2: Arbitrary command execution can occur in Webmin through 1
Arbitrary command execution can occur in Webmin through 1.962. Any user authorized for the Package Updates module can execute arbitrary commands with root privileges via vectors involving %0A and %0C. NOTE: this issue exists because of an incomplete fix for CVE-2019-12840.
GHSA
GHSA-gcq8-ggwj-2xvv: In Webmin through 1
ghsa_unreviewed·2022-05-24
CVE-2019-12840 [HIGH] GHSA-gcq8-ggwj-2xvv: In Webmin through 1
In Webmin through 1.910, any user authorized to the "Package Updates" module can execute arbitrary commands with root privileges via the data parameter to update.cgi.
No detection rules found.
Exploit-DB
Webmin 1.962 - 'Package Updates' Escape Bypass RCE (Metasploit)
exploitdb·2020-12-22·CVSS 8.8
CVE-2020-35606 [HIGH] Webmin 1.962 - 'Package Updates' Escape Bypass RCE (Metasploit)
Webmin 1.962 - 'Package Updates' Escape Bypass RCE (Metasploit)
---
##
# This module requires Metasploit: https://metasploit.com/download
# Current source: https://github.com/rapid7/metasploit-framework
##
class MetasploitModule 'Webmin 1.962 - Package Update Escape Bypass RCE (Metasploit)',
'Description' => %q(
This module exploits an arbitrary command execution vulnerability in Webmin
1.962 and lower versions. Any user authorized to the "Package Updates"
module can execute arbitrary commands with root privileges.
It emerged by circumventing the measure taken for CVE-2019-12840.
s/\\(-)|\\(.)/string/g; escape is not enough for prevention.
Therefore, since the package name variable is placed directly in the system command,
we can manipulate it using some escape characters that HTTP supp
Exploit-DB
Webmin 1.910 - 'Package Updates' Remote Command Execution (Metasploit)
exploitdb·2019-06-11
CVE-2019-12840 Webmin 1.910 - 'Package Updates' Remote Command Execution (Metasploit)
Webmin 1.910 - 'Package Updates' Remote Command Execution (Metasploit)
---
##
# This module requires Metasploit: https://metasploit.com/download
# Current source: https://github.com/rapid7/metasploit-framework
##
class MetasploitModule 'Webmin Package Updates Remote Command Execution',
'Description' => %q(
This module exploits an arbitrary command execution vulnerability in Webmin
1.910 and lower versions. Any user authorized to the "Package Updates"
module can execute arbitrary commands with root privileges.
),
'Author' => [
'AkkuS ' # Vulnerability Discovery, MSF PoC module
],
'License' => MSF_LICENSE,
'References' =>
[
['CVE', '2019-12840'],
['URL', 'https://www.pentest.com.tr/exploits/Webmin-1910-Package-Updates-Remote-Command-Execution.html']
],
'Privileged' => true,
'Payload' =>
{
Metasploit
Webmin Package Updates Remote Command Execution
metasploit
Webmin Package Updates Remote Command Execution
Webmin Package Updates Remote Command Execution
This module exploits an arbitrary command execution vulnerability in Webmin 1.910 and lower versions. Any user authorized to the "Package Updates" module can execute arbitrary commands with root privileges.
CTF
medium / README
ctf_writeups·CVSS 9.1
[CRITICAL] medium / README
---
layout: default
title: Medium Machines
parent: Machines
nav_order: 2
description: "112+ Medium HTB machine writeups with walkthroughs"
permalink: /machines/medium/
---
# HackTheBox - Medium Machines
> Comprehensive index of retired HTB Medium-difficulty machines with key techniques and attack path summaries.
**Total: 100+ machines** | Sorted roughly by retirement date (newest first)
---
## Machine Index
| # | Machine | OS | Key Techniques | Attack Path Summary | Writeup |
|---|---------|-----|----------------|---------------------|---------|
| 1 | Signed | Linux | Code Signing Bypass, Certificate Abuse | Forge code signature to deploy malicious update, escalate via trusted binary execution | [0xdf](https://0xdf.gitlab.io/2026/02/07/htb-signed.html) |
| 2 | Voleur | Linux | Data E
CTF
easy / README
ctf_writeups·CVSS 6.0
[MEDIUM] easy / README
---
layout: default
title: Easy Machines
parent: Machines
nav_order: 1
description: "120+ Easy HTB machine writeups with walkthroughs"
permalink: /machines/easy/
---
# HackTheBox Easy Machines - Comprehensive Reference
> Complete catalog of retired HTB Easy machines with OS, key vulnerability, attack path summary, and quality writeup links.
**Total: 100+ Easy Machines** | Updated: April 2026
---
## Quick Navigation
- [Classic / Legacy Machines (2017-2019)](#classic--legacy-machines-2017-2019)
- [2019-2020 Machines](#2019-2020-machines)
- [2021 Machines](#2021-machines)
- [2022 Machines](#2022-machines)
- [2023 Machines](#2023-machines)
- [2024 Machines (Season 4 & 5)](#2024-machines-season-4--5)
- [2025-2026 Machines (Season 6+)](#2025-2026-machines-season-6)
---
## Classic / Legac
Tenable
CVE-2019-15107: Exploit Modules Available for Remote Code Execution Vulnerability in Webmin
blogs_tenable·2019-08-19·CVSS 9.8
[CRITICAL] CVE-2019-15107: Exploit Modules Available for Remote Code Execution Vulnerability in Webmin
## Cloud Exposure
Tenable Cloud Security (CNAPP) Request a demo
Tenable Cloud Vulnerability Management Request a demo
Tenable CIEM Request a demo
Secure your cloud
## Vulnerability Exposure
Tenable Vulnerability Management Try for free
Tenable Security Center Request a demo
Tenable Web App Scanning Try for free
Tenable Patch Management Request a demo
Tenable Enclave Security Request a demo
Tenable Attack Surface Management Request a demo
Tenable Nessus Try for free
## AI Exposure
Tenable AI Exposure Request a demo
## OT/IoT Exposure
Tenable OT Security Request a demo
## Identity Exposure
Tenable Identity Exposure Request a demo
## Business needs
Active Directory
AI Security Posture Management (AI-SPM)
AWS security
Azure security
Cloud Security Posture Man
http://packetstormsecurity.com/files/153372/Webmin-1.910-Remote-Command-Execution.htmlhttp://www.securityfocus.com/bid/108790https://pentest.com.tr/exploits/Webmin-1910-Package-Updates-Remote-Command-Execution.htmlhttps://www.exploit-db.com/exploits/46984http://packetstormsecurity.com/files/153372/Webmin-1.910-Remote-Command-Execution.htmlhttp://www.securityfocus.com/bid/108790https://pentest.com.tr/exploits/Webmin-1910-Package-Updates-Remote-Command-Execution.htmlhttps://www.exploit-db.com/exploits/46984
2019-06-15
Published