cbcvebase.
CVE-2022-36446
published 2022-07-25

CVE-2022-36446: software/apt-lib.pl in Webmin before 1.997 lacks HTML escaping for a UI command.

PriorityP279critical9.8CVSS 3.1
AVNACLPRNUINSUCHIHAH
EXPLOIT
EPSS
96.05%
99.9th percentile
software/apt-lib.pl in Webmin before 1.997 lacks HTML escaping for a UI command.

Affected

1 ranges
VendorProductVersion rangeFixed in
webminwebmin< 1.9971.997

Detection & IOCsextracted from sources · hover to see the quote

url/package-updates/update.cgi
url/package-updates/update.cgi?xnavigation=1
commandmode=new&search=ssh&redir=&redirdesc=&u=0%3Becho+%27{{randstr}}%27%27{{randstr}}%27%3B+id%3B+echo+%27{{randstr}}%27%27{{randstr}}%27&confirm=Install%2BNow
pathsoftware/apt-lib.pl
port10000
  • Look for POST requests to /package-updates/update.cgi with a 'u' parameter containing shell metacharacters (e.g., semicolons, encoded as %3B) indicating command injection attempts.
  • Detect authenticated sessions accessing the Software Package Updates module (data-module="package-updates") followed immediately by a POST to update.cgi — this is the exploit flow.
  • The exploit requires the Referer header set to the /package-updates/update.cgi?xnavigation=1 endpoint; alert on POST requests to update.cgi with this specific Referer.
  • Shodan/FOFA exposure queries for Webmin instances: search for title:"Webmin" or http.title:"webmin" to identify internet-exposed targets.
  • Response body containing both a repeated random string and uid/gid/groups output confirms successful RCE via the command injection payload.
  • The vulnerability is in software/apt-lib.pl; monitor for unexpected child processes spawned by the Webmin process (e.g., apt, yum) with user-controlled arguments containing shell operators.
  • ·Exploitation requires valid credentials AND the authenticated account must have access to the Software Package Updates module; unauthenticated exploitation is not possible.
  • ·The NVD CVSS score (9.8) is rated for no authentication required (PR:N), but the actual exploit is authenticated — detections should account for the authenticated exploit path rather than unauthenticated.
CVEs like this are exactly what “Exploited This Week” covers.

Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.