cbcvebase.
CVE-2019-15642
published 2019-08-26

CVE-2019-15642: rpc.cgi in Webmin through 1.920 allows authenticated Remote Code Execution via a crafted object name because unserialise_variable makes an eval call. NOTE: the…

PriorityP183high8.8CVSS 3.0
AVNACLPRLUINSUCHIHAH
ITWEXPLOITVulnCheck KEV
Exploited in the wild
EPSS
38.04%
98.4th percentile
rpc.cgi in Webmin through 1.920 allows authenticated Remote Code Execution via a crafted object name because unserialise_variable makes an eval call. NOTE: the Webmin_Servers_Index documentation states "RPC can be used to run any command or modify any file on a server, which is why access to it must not be granted to un-trusted Webmin users."

Affected

1 ranges
VendorProductVersion rangeFixed in
webminwebmin<= 1.920

Detection & IOCsextracted from sources · hover to see the quote

path/rpc.cgi
path/session_login.cgi
commandOBJECT Socket;print "Content-Type: text/plain\n\n";$cmd=`id`;print "$cmd\n\n";
yara
regex: 'uid=(\d+)\(.*?\) gid=(\d+)\(.*?\) groups=(\d+)\(.*?\)'
  • Monitor POST requests to /rpc.cgi containing the string 'OBJECT Socket' in the body, which is the exploit payload pattern for CVE-2019-15642.
  • Detect the two-step attack sequence: an initial POST to /session_login.cgi for authentication followed by a POST to /rpc.cgi with a crafted object name payload.
  • Flag HTTP responses from /rpc.cgi that contain 'Content-type: text/plain' in the body alongside uid/gid output, indicating successful RCE.
  • Use Shodan/FOFA queries 'title:"Webmin"' or 'title="webmin"' to identify exposed Webmin instances for proactive scanning.
  • The vulnerability is in the unserialise_variable function which makes an eval call on a crafted object name; look for Perl eval execution triggered from rpc.cgi in process/audit logs.
  • ·Exploitation requires valid credentials (authenticated RCE); default credential pairs admin/admin and root/root are used in known PoC tooling.
  • ·Webmin's own documentation acknowledges RPC grants full server access; access to rpc.cgi should be restricted to trusted users only.

CVSS provenance

nvdv3.08.8HIGHCVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
nvdv2.06.5MEDIUMAV:N/AC:L/Au:S/C:P/I:P/A:P
vulncheck8.8HIGH
CVEs like this are exactly what “Exploited This Week” covers.

Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.