cbcvebase.
CVE-2022-0824
published 2022-03-02

CVE-2022-0824: Improper Access Control to Remote Code Execution in GitHub repository webmin/webmin prior to 1.990.

PriorityP279high8.8CVSS 3.1
AVNACLPRLUINSUCHIHAH
EXPLOIT
EPSS
96.98%
99.9th percentile
Improper Access Control to Remote Code Execution in GitHub repository webmin/webmin prior to 1.990.

Affected

2 ranges
VendorProductVersion rangeFixed in
webminwebmin< 1.9901.990
webminwebmin_webmin>= unspecified < 1.9901.990

Detection & IOCsextracted from sources · hover to see the quote

url/session_login.cgi
url/extensions/file-manager/http_download.cgi?module=filemin
url/extensions/file-manager/chmod.cgi?module=filemin&page=1&paginate=30
filenamerevshell.cgi
path/usr/share/webmin
path/filemin/?xnavigation=1
  • Detect unauthenticated or low-privilege POST requests to the File Manager download endpoint; the parameter 'link' is used to fetch a remote URL and stage a malicious CGI payload.
  • Alert on POST requests to /extensions/file-manager/chmod.cgi setting permissions to 0755 on newly uploaded files, especially .cgi files — this is the privilege escalation step in the exploit chain.
  • Monitor for HTTP requests containing the header 'X-Requested-With: XMLHttpRequest' combined with a POST to /extensions/file-manager/http_download.cgi, which is the download-trigger step of the exploit.
  • Use Shodan/FOFA/Google dork queries to identify exposed Webmin instances as potential targets: shodan 'http.title:"webmin"', FOFA 'title="webmin"', Google 'intitle:"webmin"'.
  • Detect the exploit's login step by watching for POST to /session_login.cgi with cookies 'redirect=1; testing=1; PHPSESSID=' (empty PHPSESSID), which is a fingerprint of automated exploit tooling.
  • Flag creation or execution of .cgi files under /usr/share/webmin — the exploit uploads a reverse shell CGI to this path and then GETs it to trigger execution.
  • The Nuclei template confirms exploitation by detecting the error string 'Failed to write to /<path>/index.html' in the HTTP response body from the http_download.cgi endpoint.
  • ·The exploit targets Webmin versions prior to 1.990; version 1.984 is explicitly confirmed vulnerable. Instances patched to 1.990+ are not affected.
  • ·The default upload path /usr/share/webmin applies to Debian package installations only; other installation methods may place Webmin in a different directory, affecting where the malicious CGI is staged.
  • ·Exploitation requires valid credentials for any low-privilege authenticated user; unauthenticated exploitation is not possible with this CVE alone.

CVSS provenance

nvdv3.18.8HIGHCVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
nvdv3.08.3HIGHCVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:L
nvdv2.09.0CRITICALAV:N/AC:L/Au:S/C:C/I:C/A:C
CVEs like this are exactly what “Exploited This Week” covers.

Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.