cbcvebase.
CVE-2019-9624
published 2019-03-07

CVE-2019-9624: Webmin 1.900 allows remote attackers to execute arbitrary code by leveraging the "Java file manager" and "Upload and Download" privileges to upload a crafted…

PriorityP264high7.8CVSS 3.0
AVLACLPRNUIRSUCHIHAH
EXPLOIT
EPSS
23.69%
97.5th percentile
Webmin 1.900 allows remote attackers to execute arbitrary code by leveraging the "Java file manager" and "Upload and Download" privileges to upload a crafted .cgi file via the /updown/upload.cgi URI.

Affected

1 ranges
VendorProductVersion rangeFixed in
webminwebmin

Detection & IOCsextracted from sources · hover to see the quote

path/updown/upload.cgi
path/session_login.cgi
path/file/show.cgi
path/proc/index_tree.cgi
cookieredirect=1; testing=1; sid=<session>
port10000
url/updown/upload.cgi?id=154739243511
filenameshow.cgi
  • Detect POST requests to /updown/upload.cgi containing multipart/form-data with a .cgi file upload — a strong indicator of CVE-2019-9624 exploitation.
  • Alert on HTTP requests to /file/show.cgi where the URI path contains pipe characters (|), indicating command injection via path traversal.
  • Flag Webmin traffic on port 10000 where a POST to /session_login.cgi is followed by access to /proc/index_tree.cgi and then /updown/upload.cgi within the same session — this sequence matches the full exploit chain.
  • Inspect multipart upload bodies to /updown/upload.cgi for embedded Perl CGI content (e.g., references to miniserv.pl paths), indicating overwrite of a legitimate Webmin CGI file.
  • Detect the Referer header value /updown/?xnavigation=1 on POST requests to /updown/upload.cgi, which is hardcoded in the Metasploit module.
  • ·Exploitation requires the authenticated user to have both 'Java file manager' and 'Upload and Download' privileges; accounts without these module authorizations are not directly exploitable via this vector.
  • ·The exploit's directory-discovery step relies on the 'Running Processes' (proc) privilege being granted; without it, the module falls back to guessing a default installation path (GUESSUPLOAD option).
  • ·The Metasploit module defaults to SSL (HTTPS) on port 10000; detections scoped only to plaintext HTTP on that port may miss the majority of real-world exploitation attempts.

CVSS provenance

nvdv3.07.8HIGHCVSS:3.0/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H
nvdv2.06.8MEDIUMAV:N/AC:M/Au:N/C:P/I:P/A:P
CVEs like this are exactly what “Exploited This Week” covers.

Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.