cbcvebase.
CVE-2019-15107
published 2019-08-16

CVE-2019-15107: An issue was discovered in Webmin <=1.920. The parameter old in password_change.cgi contains a command injection vulnerability.

PriorityP199critical9.8CVSS 3.1
AVNACLPRNUINSUCHIHAH
KEVITWEXPLOITRansomwareInitial access
CISA Known Exploited Vulnerabilitydue 2022-04-15
Exploited in the wild
EPSS
99.77%
100.0th percentile
An issue was discovered in Webmin <=1.920. The parameter old in password_change.cgi contains a command injection vulnerability.

Affected

2 ranges
VendorProductVersion rangeFixed in
thekelleysdnsmasq>= 0 < 2.75-1ubuntu0.16.04.102.75-1ubuntu0.16.04.10
webminwebmin<= 1.920

Detection & IOCsextracted from sources · hover to see the quote

path/password_change.cgi
commandPOST /password_change.cgi HTTP/1.1
commanduser=rootxx&pam=&old=test|cat /etc/passwd&new1=test2&new2=test2&expired=2
commanduser=wheel&pam=&expired=2&old=id|echo '$FLAG'&new1=wheel&new2=wheel
command/password_reset.cgi user=root&pam&expired&old=wrong | id
  • The vulnerable parameter is 'old' in password_change.cgi; look for pipe characters (|) in the 'old' POST parameter as an indicator of command injection attempts.
  • Exploitation does not require valid credentials; monitor for unauthenticated POST requests to /password_change.cgi, especially with 'expired=2' in the body.
  • The backdoor was introduced via compromised build infrastructure (SourceForge downloads) using Perl qx statements; forensic review of Webmin source files for qx() calls is warranted on affected versions.
  • Use Shodan/FOFA/Google dorks to identify exposed Webmin instances: Shodan query 'http.title:"webmin"', FOFA 'title="webmin"', Google 'intitle:"webmin"'.
  • ·Only version 1.890 is exploitable in the default install; versions 1.900–1.920 require the 'expired password changing' feature to be explicitly enabled.
  • ·Only SourceForge downloads were backdoored; installations obtained from other sources may not contain the malicious Perl qx statements.
  • ·The backdoor has been present since July 2018, meaning systems installed from compromised builds over a ~14-month window are at risk.

CVSS provenance

nvdv3.19.8CRITICALCVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
nvdv2.010.0CRITICALAV:N/AC:L/Au:N/C:C/I:C/A:C
osv7.5HIGH
vulncheck9.8CRITICAL
cisa9.8CRITICAL
CVEs like this are exactly what “Exploited This Week” covers.

Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.