CVE-2019-15107
CVE-2019-15107 is a critical-severity vulnerability in Webmin with a CVSS 3.x base score of 9.8. It is listed in CISA's Known Exploited Vulnerabilities (KEV) catalog, confirming it has been exploited in the wild (added 2022-03-25). The underlying weakness is classified as CWE-78.
Key facts
- Severity: Critical (CVSS 3.x base score 9.8)
- CVSS v2: 10.0
- EPSS exploit prediction: 100% (100th percentile)
- Actively exploited: Yes — listed in CISA KEV (added 2022-03-25)
- EU (EUVD) id: EUVD-2019-6178
- EU exploitation: Flagged exploited in the ENISA EU Vulnerability Database (since 2022-03-25)
- Weakness: CWE-78
- Affected product: Webmin
- Published:
- Last modified:
Description
An issue was discovered in Webmin <=1.920. The parameter old in password_change.cgi contains a command injection vulnerability.
CVE-2019-15107: Unauthenticated Command Injection in Webmin password_change.cgi
AI-generated analysis based on the vulnerability data on this page.
| Attribute | Value |
|---|---|
| CVE | CVE-2019-15107 |
| Product | Webmin |
| CWE | CWE-78: OS Command Injection |
| CVSS v2 | 10.0 (AV:N/AC:L/Au:N/C:C/I:C/A:C) |
| CVSS v3.1 | 9.8 Critical (AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H) |
| EPSS | 0.99766 |
| KEV | Yes (since 2022-03-25) |
| Exploited in EU | Yes (since 2022-03-25) |
Summary
CVE-2019-15107 is an unauthenticated OS command injection vulnerability in Webmin's password_change.cgi script. The old parameter fails to sanitize user input before passing it to a shell command, allowing remote attackers to execute arbitrary commands with root privileges without authentication.
Background
Webmin is a web-based system administration tool for Unix-like systems. The password_change.cgi endpoint is intended to allow users to change their passwords. In affected versions, this endpoint is accessible without prior authentication and passes user-supplied input directly into a shell command, creating a trivial remote command execution vector.
Root Cause
CWE-78: OS Command Injection. The old parameter in password_change.cgi is incorporated into a shell command without proper input validation or sanitization. An attacker can inject shell metacharacters (e.g., pipes |, semicolons ;, backticks, or $()) to append arbitrary commands to the intended operation. Because the Webmin service typically runs with root privileges, injected commands execute with full administrative rights.
Impact
This vulnerability is rated Critical with a CVSS v3.1 score of 9.8.
- Attack Vector (AV): Network — Exploitable remotely over the internet.
- Attack Complexity (AC): Low — No special conditions or bypasses required.
- Privileges Required (PR): None — Fully unauthenticated.
- User Interaction (UI): None — No victim interaction needed.
- Scope (S): Unchanged — Impact remains within the vulnerable component.
- Confidentiality (C): High — Full data access.
- Integrity (I): High — Full system modification.
- Availability (A): High — Full system disruption possible.
With an EPSS of 0.99766, this CVE sits in the 99.9th percentile of exploit probability, reflecting widespread, reliable exploitation.
Exploitation Walkthrough
Ethics Notice: The following description is provided for defensive purposes only. No weaponized exploit code is included. Organizations should use this knowledge to detect and prevent attacks, not to target systems without authorization.
An attacker sends a specially crafted HTTP request to /password_change.cgi on a vulnerable Webmin instance. The request includes the old parameter with embedded shell metacharacters. Because the endpoint processes this input inside a shell execution function, the attacker's appended commands run on the server. Successful exploitation typically results in an immediate root shell or remote code execution.
Defenders should monitor for:
- Unexpected outbound connections from Webmin hosts.
- Shell-related strings in
oldparameter values (pipes, backticks,$(),bash,nc,curl,wget). - Access logs showing
POST /password_change.cgiwith unusual body content.
Affected and Patched Versions
- Affected: Webmin versions <= 1.920
- Patched: Webmin 1.930 and later (per vendor security guidance)
If your exact patch version is uncertain, consult the Webmin security page or your package vendor.
Remediation
- Upgrade immediately. Apply the latest Webmin release from the official vendor or your OS package repository.
- Restrict access. If Webmin is not required externally, bind it to localhost or place it behind a VPN / administrative jump host. Block inbound access at the perimeter firewall.
- Compensating controls. Deploy a Web Application Firewall (WAF) rule to block shell metacharacters in parameters sent to
password_change.cgiwhile patching is in progress. - Review for compromise. Given the high EPSS and confirmed KEV status, assume any vulnerable instance exposed to the internet may have been compromised. Perform forensic review, rotate credentials, and inspect for persistence mechanisms.
Detection
- Network: Monitor for
POSTrequests to/password_change.cgicontaining shell syntax in body parameters. - Host: Audit process creation events on Webmin servers for unexpected shells or reverse-network tools spawned by the Webmin process.
- IDS/IPS: Use Suricata/Snort rules or WAF policies targeting known
password_change.cgiexploitation patterns.
Assessment
CVE-2019-15107 is a textbook unauthenticated command injection with near-maximum severity scores and confirmed, widespread exploitation. Its inclusion in CISA's Known Exploited Vulnerabilities catalog and the EU vulnerability database underscores the real-world threat. The primary lessons are:
- Never pass user input to shell commands without strict validation. Use parameterized APIs or allow-list validation.
- Admin interfaces require defense in depth. Restrict network exposure, enforce MFA where possible, and monitor aggressively.
References
- http://packetstormsecurity.com/files/154141/Webmin-1.920-Remote-Command-Execution.html
- http://packetstormsecurity.com/files/154141/Webmin-Remote-Comman-Execution.html
- http://packetstormsecurity.com/files/154197/Webmin-1.920-password_change.cgi-Backdoor.html
- http://packetstormsecurity.com/files/154485/Webmin-1.920-Remote-Code-Execution.html
- http://www.pentest.com.tr/exploits/DEFCON-Webmin-1920-Unauthenticated-Remote-Command-Execution.html
- http://www.webmin.com/security.html
- https://attackerkb.com/topics/hxx3zmiCkR/webmin-password-change-cgi-command-injection
- https://www.exploit-db.com/exploits/47230
- https://www.cisa.gov/known-exploited-vulnerabilities-catalog?field_cve=CVE-2019-15107
Frequently asked questions
- What is CVE-2019-15107?
- An issue was discovered in Webmin <=1.920. The parameter old in password_change.cgi contains a command injection vulnerability.
- How severe is CVE-2019-15107?
- CVE-2019-15107 has a CVSS 3.x base score of 9.8, rated critical severity. It is exploitable over network with low attack complexity, requires no privileges and no user interaction. Impact on confidentiality is high, integrity high, and availability high.
- Is CVE-2019-15107 being actively exploited?
- Yes. CVE-2019-15107 is on CISA's Known Exploited Vulnerabilities (KEV) catalog, added on 2022-03-25, which means active exploitation has been confirmed. It should be prioritised for remediation.
- What products are affected by CVE-2019-15107?
- CVE-2019-15107 affects Webmin. See the affected-products list for the exact vulnerable versions.
- How do I fix CVE-2019-15107?
- Review the linked vendor and NVD advisories for patched versions and mitigations, then upgrade or apply the recommended workaround. Because this CVE is known to be actively exploited, treat remediation as urgent — CISA KEV typically sets a short remediation deadline.
- Does CVE-2019-15107 have an EU (EUVD) identifier?
- Yes. CVE-2019-15107 is tracked in the ENISA EU Vulnerability Database (EUVD) as EUVD-2019-6178. It is also flagged as exploited in the EUVD (since 2022-03-25).
- When was CVE-2019-15107 published?
- CVE-2019-15107 was published on 2019-08-16 and last updated on 2026-06-17.
References
- http://packetstormsecurity.com/files/154141/Webmin-1.920-Remote-Command-Execution.html
- http://packetstormsecurity.com/files/154141/Webmin-Remote-Comman-Execution.html
- http://packetstormsecurity.com/files/154197/Webmin-1.920-password_change.cgi-Backdoor.html
- http://packetstormsecurity.com/files/154485/Webmin-1.920-Remote-Code-Execution.html
- http://www.pentest.com.tr/exploits/DEFCON-Webmin-1920-Unauthenticated-Remote-Command-Execution.html
- http://www.webmin.com/security.html
- https://attackerkb.com/topics/hxx3zmiCkR/webmin-password-change-cgi-command-injection
- https://www.exploit-db.com/exploits/47230
- https://www.cisa.gov/known-exploited-vulnerabilities-catalog?field_cve=CVE-2019-15107
Affected products (1)
- cpe:2.3:a:webmin:webmin:*:*:*:*:*:*:*:*
More vulnerabilities in Webmin
- CVE-2005-1177 — Critical (CVSS 10.0): Unknown vulnerability in (1) Webmin and (2) Usermin before 1.200 causes Webmin to change permissions and ownership of…
- CVE-2003-0101 — Critical (CVSS 10.0): miniserv.pl in (1) Webmin before 1.070 and (2) Usermin before 1.000 does not properly handle metacharacters such as…
- CVE-2002-2201 — Critical (CVSS 10.0): The Printer Administration module for Webmin 0.990 and earlier allows remote attackers to execute arbitrary commands…
- CVE-2001-1196 — Critical (CVSS 10.0): Directory traversal vulnerability in edit_action.cgi of Webmin Directory 0.91 allows attackers to gain privileges via a…
- CVE-2022-36446 — Critical (CVSS 9.8): software/apt-lib.pl in Webmin before 1.997 lacks HTML escaping for a UI command.
- CVE-2020-35769 — Critical (CVSS 9.8): miniserv.pl in Webmin 1.962 on Windows mishandles special characters in query arguments to the CGI program.
Other CWE-78 (OS Command Injection) vulnerabilities
- CVE-2026-56004 — Critical (CVSS 10.0): A shellcode injection in the mercurial handler of the obs tar_scm source service before version 0.12.4 could be used by…
- CVE-2026-56415 — Critical (CVSS 10.0): Storage Concentrator (SC & SCVM) contains a command injection vulnerability within the debug.pl script that is…
- CVE-2026-56413 — Critical (CVSS 10.0): Storage Concentrator (SC & SCVM) contains a command injection vulnerability in the ms_service.pl service, which listens…
- CVE-2026-49869 — Critical (CVSS 10.0): Kestra is an open-source, event-driven orchestration platform. Prior to 1.0.45 and 1.3.21, AuthenticationFilter in…
- CVE-2026-49261 — Critical (CVSS 10.0): MariaDB server is a community developed fork of MySQL server. Versions 10.6.1 through 10.6.26, 10.11.1 through…
- CVE-2026-10520 — Critical (CVSS 10.0): An OS Command Injection vulnerability in Ivanti Sentry before the R10.5.2, R10.6.2 and R10.7.1 versions allows a…