cbcvebase.
CVE-2019-12840
published 2019-06-15

CVE-2019-12840: In Webmin through 1.910, any user authorized to the "Package Updates" module can execute arbitrary commands with root privileges via the data parameter to…

PriorityP182high8.8CVSS 3.0
AVNACLPRLUINSUCHIHAH
EXPLOIT
EPSS
77.81%
99.5th percentile
In Webmin through 1.910, any user authorized to the "Package Updates" module can execute arbitrary commands with root privileges via the data parameter to update.cgi.

Affected

2 ranges
VendorProductVersion rangeFixed in
webminwebmin<= 1.962
webminwebmin<= 1.910

Detection & IOCsextracted from sources · hover to see the quote

path/session_login.cgi
cookietesting=1
path/package-updates/update.cgi
port10000
commandu=acl%2Fapt&u=%20%7C%20#{payload}&ok_top=Update+Selected+Packages
commandbash -c "{echo,<b64>}|{base64,-d}|{bash,-i}"
commandredir=%2E%2E%2Fsquid%2F&redirdesc=Squid%20Proxy%20Server&mode=new&u=squid34%0A%7C#{payload}%26%26
  • Look for the cookie value 'testing=1' in HTTP requests to Webmin's session_login.cgi — this is a hardcoded value used by the Metasploit exploit module to bypass the 'Error - No cookies' check.
  • Monitor POST requests to /package-updates/update.cgi with a Referer header of /package-updates/?xnavigation=1 and body data containing URL-encoded pipe (%7C), newline (%0A), or double-ampersand (%26%26) sequences.
  • Detect the bypass payload pattern in POST body: 'u=' parameter containing %0A%7C (newline + pipe) followed by base64-encoded content and %26%26, targeting the incomplete fix for CVE-2019-12840.
  • Alert on HTTP traffic to Webmin (default port 10000) where POST body to update.cgi contains the string 'ok_top=Update+Selected+Packages' alongside a second 'u=' parameter with a space-pipe pattern (%20%7C%20), indicating the original CVE-2019-12840 injection vector.
  • Detect use of bash brace-expansion payload delivery pattern in HTTP POST bodies: {echo,<base64>}|{base64,-d}|{bash,-i}, which is the shell execution technique used by the exploit.
  • Restricting access to the 'Package Updates' module is the only mitigation for CVE-2019-12840; monitor for unauthorized users accessing /package-updates/ path on Webmin.
  • ·The Metasploit module defaults to non-SSL on port 10000; deployments using SSL or non-default ports require adjusted detection rules.

CVSS provenance

nvdv3.08.8HIGHCVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
nvdv2.09.0CRITICALAV:N/AC:L/Au:S/C:C/I:C/A:C
CVEs like this are exactly what “Exploited This Week” covers.

Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.