CVE-2019-15107
published 2019-08-16CVE-2019-15107: An issue was discovered in Webmin <=1.920. The parameter old in password_change.cgi contains a command injection vulnerability.
PriorityP199critical9.8CVSS 3.1
AVNACLPRNUINSUCHIHAH
KEVITWEXPLOITRansomwareInitial access
CISA Known Exploited Vulnerabilitydue 2022-04-15
Exploited in the wild
EPSS
99.77%
100.0th percentile
An issue was discovered in Webmin <=1.920. The parameter old in password_change.cgi contains a command injection vulnerability.
Affected
2 ranges
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| thekelleys | dnsmasq | >= 0 < 2.75-1ubuntu0.16.04.10 | 2.75-1ubuntu0.16.04.10 |
| webmin | webmin | <= 1.920 | — |
Detection & IOCsextracted from sources · hover to see the quote
- →The vulnerable parameter is 'old' in password_change.cgi; look for pipe characters (|) in the 'old' POST parameter as an indicator of command injection attempts. ↗
- →Exploitation does not require valid credentials; monitor for unauthenticated POST requests to /password_change.cgi, especially with 'expired=2' in the body. ↗
- →The backdoor was introduced via compromised build infrastructure (SourceForge downloads) using Perl qx statements; forensic review of Webmin source files for qx() calls is warranted on affected versions. ↗
- →Use Shodan/FOFA/Google dorks to identify exposed Webmin instances: Shodan query 'http.title:"webmin"', FOFA 'title="webmin"', Google 'intitle:"webmin"'. ↗
- ·Only version 1.890 is exploitable in the default install; versions 1.900–1.920 require the 'expired password changing' feature to be explicitly enabled. ↗
- ·Only SourceForge downloads were backdoored; installations obtained from other sources may not contain the malicious Perl qx statements. ↗
- ·The backdoor has been present since July 2018, meaning systems installed from compromised builds over a ~14-month window are at risk. ↗
CVSS provenance
nvdv3.19.8CRITICALCVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
nvdv2.010.0CRITICALAV:N/AC:L/Au:N/C:C/I:C/A:C
osv7.5HIGH
vulncheck9.8CRITICAL
cisa9.8CRITICAL
CVEs like this are exactly what “Exploited This Week” covers.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
VulDB
Webmin up to 1.920 password_change.cgi old command injection (ID 154141 / EDB-47230)
vuldb·2026-05-22·CVSS 9.8
CVE-2019-15107 [CRITICAL] Webmin up to 1.920 password_change.cgi old command injection (ID 154141 / EDB-47230)
A vulnerability marked as critical has been reported in Webmin up to 1.920. The impacted element is an unknown function of the file password_change.cgi. Performing a manipulation of the argument old as part of Parameter results in command injection.
This vulnerability is known as CVE-2019-15107. Remote exploitation of the attack is possible. Furthermore, an exploit is available.
It is suggested to upgrade the affected component.
GHSA
GHSA-gqv3-jqw8-h6h3: Webmin 1
ghsa_unreviewed·2022-05-24·CVSS 9.8
CVE-2019-15231 [CRITICAL] GHSA-gqv3-jqw8-h6h3: Webmin 1
Webmin 1.890, in a default installation, contains a backdoor that allows an unauthenticated attacker to remotely execute commands. This is different from CVE-2019-15107. NOTE: as of 2019-08-19, the vendor reports that "at some point" malicious code was inserted into their build infrastructure, but was not inserted into any GitHub repository.
GHSA
GHSA-69hp-hrv4-rxrr: An issue was discovered in Webmin through 1
ghsa_unreviewed·2022-05-24
CVE-2019-15107 [CRITICAL] CWE-78 GHSA-69hp-hrv4-rxrr: An issue was discovered in Webmin through 1
An issue was discovered in Webmin through 1.920. The parameter old in password_change.cgi contains a command injection vulnerability.
OSV
dnsmasq vulnerabilities
osv·2021-04-22·CVSS 7.5
CVE-2017-15107 dnsmasq vulnerabilities
dnsmasq vulnerabilities
It was discovered that Dnsmasq incorrectly handled certain wildcard
synthesized NSEC records. A remote attacker could possibly use this issue
to prove the non-existence of hostnames that actually exist.
(CVE-2017-15107)
It was discovered that Dnsmasq incorrectly handled certain large DNS
packets. A remote attacker could possibly use this issue to cause Dnsmasq
to crash, resulting in a denial of service. (CVE-2019-14513)
VulnCheck
Webmin Command Injection Vulnerability
vulncheck·2019·CVSS 9.8
CVE-2019-15107 [CRITICAL] CWE-78 Webmin Command Injection Vulnerability
Webmin Command Injection Vulnerability
An issue was discovered in Webmin. The parameter old in password_change.cgi contains a command injection vulnerability.
Affected: Webmin Webmin
Required Action: Apply updates per vendor instructions.
Exploitation References: https://www.f5.com/labs/articles/threat-intelligence/echobot-malware-now-up-to-71-exploits--targeting-scada; https://blog.sonicwall.com/en-us/2019/12/top-cves-exploited-in-the-wild-in-the-year-2019/; https://www.researchgate.net/publication/348602660_An_analysis_of_the_use_of_CVEs_by_IoT_malware; https://cujo.com/the-sysrv-botnet-and-how-it-evolved/; https://www.cisa.gov/sites/default/files/feeds/known_exploited_vulnerabilities.json; https://www.botconf.eu/wp-content/uploads/2022/05/Botconf2022-24-PalotayZsigovits.pdf; https:/
CISA
Webmin Command Injection Vulnerability
cisa·2022-03-25·CVSS 9.8
CVE-2019-15107 [CRITICAL] CWE-78 Webmin Command Injection Vulnerability
Vulnerability: Webmin Command Injection Vulnerability
Affected: Webmin Webmin
An issue was discovered in Webmin. The parameter old in password_change.cgi contains a command injection vulnerability.
Required Action: Apply updates per vendor instructions.
Notes: https://nvd.nist.gov/vuln/detail/CVE-2019-15107
Remediation Due Date: 2022-04-15
Suricata
ET WEB_SERVER Webmin RCE CVE-2019-15107
suricata·2019-08-18·CVSS 9.8
CVE-2019-15107 [CRITICAL] ET WEB_SERVER Webmin RCE CVE-2019-15107
ET WEB_SERVER Webmin RCE CVE-2019-15107
Rule: alert http any any -> any 10000 (msg:"ET WEB_SERVER Webmin RCE CVE-2019-15107"; flow:established,to_server; http.method; content:"POST"; http.uri; content:"/password_change.cgi"; startswith; fast_pattern; endswith; http.request_body; content:"|7c|"; reference:url,blog.firosolutions.com/exploits/webmin/; reference:cve,2019-15107; classtype:attempted-admin; sid:2027896; rev:7; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2019_08_18, cve CVE_2019_15107, deployment Perimeter, deployment Internal, deployment Datacenter, signature_severity Critical, tag CISA_KEV, tag Description_Generated_By_Proofpoint_Nexus, updated_at 2024_04_14;)
Exploit-DB
Webmin 1.920 - Remote Code Execution
exploitdb·2019-08-19·CVSS 9.8
CVE-2019-15107 [CRITICAL] Webmin 1.920 - Remote Code Execution
Webmin 1.920 - Remote Code Execution
---
#!/bin/sh
#
# CVE-2019-15107 Webmin Unauhenticated Remote Command Execution
# based on Metasploit module https://www.exploit-db.com/exploits/47230
# Original advisory: https://pentest.com.tr/exploits/DEFCON-Webmin-1920-Unauthenticated-Remote-Command-Execution.html
# Alternative advisory (spanish): https://blog.nivel4.com/noticias/vulnerabilidad-de-ejecucion-de-comandos-remotos-en-webmin
#
# Fernando A. Lagos B. (Zerial)
# https://blog.zerial.org
# https://blog.nivel4.com
#
# The script sends a flag by a echo command then grep it. If match, target is vulnerable.
#
# Usage: sh CVE-2019-15107.sh https://target:port
# Example: sh CVE-2019-15107.sh https://localhost:10000
# output: Testing for RCE (CVE-2019-15107) on https://localhost:10000: VULNERABLE
Exploit-DB
Webmin 1.920 - Unauthenticated Remote Code Execution (Metasploit)
exploitdb·2019-08-12
CVE-2019-15107 Webmin 1.920 - Unauthenticated Remote Code Execution (Metasploit)
Webmin 1.920 - Unauthenticated Remote Code Execution (Metasploit)
---
##
# This module requires Metasploit: https://metasploit.com/download
# Current source: https://github.com/rapid7/metasploit-framework
##
class MetasploitModule 'Webmin 1.920 Unauthenticated RCE',
'Description' => %q{
This module exploits a backdoor in Webmin versions 1.890 through 1.920.
Only the SourceForge downloads were backdoored, but they are listed as
official downloads on the project's site.
Unknown attacker(s) inserted Perl qx statements into the build server's
source code on two separate occasions: once in April 2018, introducing
the backdoor in the 1.890 release, and in July 2018, reintroducing the
backdoor in releases 1.900 through 1.920.
Only version 1.890 is exploitable in the default install. Later af
Metasploit
Webmin password_change.cgi Backdoor
metasploit
Webmin password_change.cgi Backdoor
Webmin password_change.cgi Backdoor
This module exploits a backdoor in Webmin versions 1.890 through 1.920. Only the SourceForge downloads were backdoored, but they are listed as official downloads on the project's site. Unknown attacker(s) inserted Perl qx statements into the build server's source code on two separate occasions: once in April 2018, introducing the backdoor in the 1.890 release, and in July 2018, reintroducing the backdoor in releases 1.900 through 1.920. Only version 1.890 is exploitable in the default install. Later affected versions require the expired password changing feature to be enabled.
Nuclei
Webmin <= 1.920 - Unauthenticated Remote Command Execution
nuclei·CVSS 9.8
CVE-2019-15107 [CRITICAL] Webmin <= 1.920 - Unauthenticated Remote Command Execution
Webmin <= 1.920 - Unauthenticated Remote Command Execution
Webmin <=1.920. is vulnerable to an unauthenticated remote command execution via the parameter 'old' in password_change.cgi.
Template:
id: CVE-2019-15107
info:
name: Webmin <= 1.920 - Unauthenticated Remote Command Execution
author: bp0lr
severity: critical
description: Webmin <=1.920. is vulnerable to an unauthenticated remote command execution via the parameter 'old' in password_change.cgi.
impact: |
Successful exploitation of this vulnerability allows remote attackers to execute arbitrary commands with root privileges.
remediation: |
Upgrade to Webmin version 1.930 or later to mitigate this vulnerability.
reference:
- https://pentest.com.tr/exploits/DEFCON-Webmin-1920-Unauthenticated-Remote-Command-Execution.html
- https://n
Unit42
Mirai Variant V3G4 Targets IoT Devices
blogs_unit42·2023-02-15·CVSS 7.5
[HIGH] Mirai Variant V3G4 Targets IoT Devices
## Content Warning
We are providing a content warning because the following contains usage of a racial slur by a threat actor, which is not condoned in any instance by Unit 42. Unit 42 has partially redacted the racial slur to provide researchers with the ability to identify it and check IoCs as needed.
## Executive Summary
From July to December 2022, Unit 42 researchers observed a Mirai variant called V3G4, which was leveraging several vulnerabilities to spread itself. The vulnerabilities exploited include the following:
- CVE-2012-4869: FreePBX Elastix Remote Command Execution Vulnerability
- Gitorious Remote Command Execution Vulnerability
- CVE-2014-9727: FRITZ!Box Webcam Remote Command Execution Vulnerability
- Mitel AWC Remote Command Execution Vulnerability
- CVE-2017-5173: Geut
Unit42
Mirai Variant V3G4 Targets IoT Devices
blogs_unit42·2023-02-15·CVSS 7.5
[HIGH] Mirai Variant V3G4 Targets IoT Devices
Threat Research Center
Threat Research
Vulnerabilities
## Mirai Variant V3G4 Targets IoT Devices
Chao Lei
Zhibin Zhang
Cecilia Hu
Aveek Das
Published: February 15, 2023
Threat Research
Vulnerabilities
Botnet
IoT Vulnerability
Mirai variant
V3G4
## Content Warning
We are providing a content warning because the following contains usage of a racial slur by a threat actor, which is not condoned in any instance by Unit 42. Unit 42 has partially redacted the racial slur to provide researchers with the ability to identify it and check IoCs as needed.
## Executive Summary
From July to December 2022, Unit 42 researchers observed a Mirai variant called V3G4, which was leveraging several vulnerabilities to spread itself. The vulnerabilities exploited include the following:
CV
Fortinet
Mirai, RAR1Ransom, and GuardMiner – Multiple Malware Campaigns Target VMware Vulnerability
blogs_fortinet·2022-10-21·CVSS 9.8
CVE-2022-22954 [CRITICAL] Mirai, RAR1Ransom, and GuardMiner – Multiple Malware Campaigns Target VMware Vulnerability
FORTIGUARD LABS THREAT RESEARCH
Mirai, RAR1Ransom, and GuardMiner – Multiple Malware Campaigns Target VMware Vulnerability
By Cara Lin | October 21, 2022
In April, VMware patched a vulnerability CVE-2022-22954. It causes server-side template injection because of the lack of sanitization on parameters “deviceUdid” and “devicetype”. It allows attackers to inject a payload and achieve remote code execution on VMware Workspace ONE Access and Identity Manager. FortiGuard Labs published Threat Signal Report about it and also developed IPS signature in April.
We observed attacks in the wild since then. Most of the payloads focus on probing a victim’s sensitive data, for example, passwords, hosts file, etc. But in August, there were a few particular payloads, which got our interest. They had th
Unit42
Mirai Variant ECHOBOT Resurfaces with 13 Previously Unexploited Vulnerabilities
blogs_unit42·2019-12-13
Mirai Variant ECHOBOT Resurfaces with 13 Previously Unexploited Vulnerabilities
Threat Research Center
Threat Research
Malware
## Mirai Variant ECHOBOT Resurfaces with 13 Previously Unexploited Vulnerabilities
Ruchna Nigam
Published: December 13, 2019
Malware
Threat Research
Vulnerabilities
Echobot
IoT
IoT Vulnerability
Mirai
Mirai variant
## Executive Summary
Since the discovery of the Mirai variant using the binary name ECHOBOT in May 2019, it has resurfaced from time to time, using new infrastructure, and more remarkably, adding to the list of vulnerabilities it scans for, as a means to increase its attack surface with each evolution.
Unlike other Mirai variants, this particular variant stands out for the sheer number of exploits it incorporates, with the latest version having a total of 71 unique exploits, 13 of which haven’t been seen exploite
Unit42
Mirai Variant ECHOBOT Resurfaces with 13 Previously Unexploited Vulnerabilities
blogs_unit42·2019-12-13
Mirai Variant ECHOBOT Resurfaces with 13 Previously Unexploited Vulnerabilities
## Executive Summary
Since the discovery of the Mirai variant using the binary name ECHOBOT in May 2019, it has resurfaced from time to time, using new infrastructure, and more remarkably, adding to the list of vulnerabilities it scans for, as a means to increase its attack surface with each evolution.
Unlike other Mirai variants, this particular variant stands out for the sheer number of exploits it incorporates, with the latest version having a total of 71 unique exploits, 13 of which haven’t been seen exploited in the wild until now, ranging from extremely old CVEs from as long back as 2003, to recent vulnerabilities made public as recently as early December 2019. Based on this seemingly odd choice, one could risk a guess that the attackers could potentially be aiming for the sweet sp
Trendmicro
Trend Micro Unveils New Cloud Security Platform
blogs_trendmicro·2019-11-22
Trend Micro Unveils New Cloud Security Platform
Cyber Threats
# Trend Micro Unveils New Cloud Security Platform
Learn about Trend’s new Cloud One platform that provides workload, container, file object storage, serverless and application, and network security. Also, read about the recent Disney+ account hacks, which are likely due to credential stuffing.
By: Jon Clay
Nov 22, 2019
Read time: ( words)
Save to Folio
Welcome to our weekly roundup, where we share what you need to know about the cybersecurity news and events that happened over the past few days. This week, learn about Trend’s new Cloud One platform that provides workload, container, file object storage, serverless and application, and network security. Also, read about the recent Disney+ account hacks, which are likely due to credential stuffing.
Read on:
#### Trend M
Trendmicro
Trend Micro Unveils New Cloud Security Platform
blogs_trendmicro·2019-11-22
Trend Micro Unveils New Cloud Security Platform
Cyber Threats
# Trend Micro Unveils New Cloud Security Platform
Learn about Trend’s new Cloud One platform that provides workload, container, file object storage, serverless and application, and network security. Also, read about the recent Disney+ account hacks, which are likely due to credential stuffing.
By: Jon Clay
2019/11/22
Read time: ( words)
Save to Folio
Welcome to our weekly roundup, where we share what you need to know about the cybersecurity news and events that happened over the past few days. This week, learn about Trend’s new Cloud One platform that provides workload, container, file object storage, serverless and application, and network security. Also, read about the recent Disney+ account hacks, which are likely due to credential stuffing.
Read on:
#### Trend Mic
Tenable
CVE-2019-15107: Exploit Modules Available for Remote Code Execution Vulnerability in Webmin
blogs_tenable·2019-08-19·CVSS 9.8
[CRITICAL] CVE-2019-15107: Exploit Modules Available for Remote Code Execution Vulnerability in Webmin
## Cloud Exposure
Tenable Cloud Security (CNAPP) Request a demo
Tenable Cloud Vulnerability Management Request a demo
Tenable CIEM Request a demo
Secure your cloud
## Vulnerability Exposure
Tenable Vulnerability Management Try for free
Tenable Security Center Request a demo
Tenable Web App Scanning Try for free
Tenable Patch Management Request a demo
Tenable Enclave Security Request a demo
Tenable Attack Surface Management Request a demo
Tenable Nessus Try for free
## AI Exposure
Tenable AI Exposure Request a demo
## OT/IoT Exposure
Tenable OT Security Request a demo
## Identity Exposure
Tenable Identity Exposure Request a demo
## Business needs
Active Directory
AI Security Posture Management (AI-SPM)
AWS security
Azure security
Cloud Security Posture Man
arXiv
Threat-Specific Risk Assessment for IP Multimedia Subsystem Networks Based on Hierarchical Models
arxiv_fulltext·2025-01-17
Threat-Specific Risk Assessment for IP Multimedia Subsystem Networks Based on Hierarchical Models
Threat-Specific Risk Assessment for IP Multimedia Subsystem Networks Based on Hierarchical Models
Abdullah Ehsan Shaikh, Simon Yusuf Enoch
School of Information Technology,
Whitecliffe College, \ Zealand.
[email protected], https://orcid.org/0000-0002-0970-3621
## Abstract
Over the years, IP Multimedia Subsystems (IMS) networks have become increasingly critical as they form the backbone of modern telecommunications, enabling the integration of multimedia services such as voice, video, and messaging over IP-based infrastructures and next-generation networks. However, this integration has led to an increase in the attack surface of the IMS network, making it more prone to various forms of cyber threats and attacks, including Denial of Service (DoS) attacks, SIP-based attacks,
http://packetstormsecurity.com/files/154141/Webmin-1.920-Remote-Command-Execution.htmlhttp://packetstormsecurity.com/files/154141/Webmin-Remote-Comman-Execution.htmlhttp://packetstormsecurity.com/files/154197/Webmin-1.920-password_change.cgi-Backdoor.htmlhttp://packetstormsecurity.com/files/154485/Webmin-1.920-Remote-Code-Execution.htmlhttp://www.pentest.com.tr/exploits/DEFCON-Webmin-1920-Unauthenticated-Remote-Command-Execution.htmlhttp://www.webmin.com/security.htmlhttps://attackerkb.com/topics/hxx3zmiCkR/webmin-password-change-cgi-command-injectionhttps://www.exploit-db.com/exploits/47230http://packetstormsecurity.com/files/154141/Webmin-1.920-Remote-Command-Execution.htmlhttp://packetstormsecurity.com/files/154141/Webmin-Remote-Comman-Execution.htmlhttp://packetstormsecurity.com/files/154197/Webmin-1.920-password_change.cgi-Backdoor.htmlhttp://packetstormsecurity.com/files/154485/Webmin-1.920-Remote-Code-Execution.htmlhttp://www.pentest.com.tr/exploits/DEFCON-Webmin-1920-Unauthenticated-Remote-Command-Execution.htmlhttp://www.webmin.com/security.htmlhttps://attackerkb.com/topics/hxx3zmiCkR/webmin-password-change-cgi-command-injectionhttps://www.exploit-db.com/exploits/47230https://www.cisa.gov/known-exploited-vulnerabilities-catalog?field_cve=CVE-2019-15107
2019-08-16
Published
2022-03-25
Added to CISA KEV
Exploited in the wild