CVE-2019-15107

CVE-2019-15107 is a critical-severity vulnerability in Webmin with a CVSS 3.x base score of 9.8. It is listed in CISA's Known Exploited Vulnerabilities (KEV) catalog, confirming it has been exploited in the wild (added 2022-03-25). The underlying weakness is classified as CWE-78.

Key facts

Description

An issue was discovered in Webmin <=1.920. The parameter old in password_change.cgi contains a command injection vulnerability.

CVE-2019-15107: Unauthenticated Command Injection in Webmin password_change.cgi

AI-generated analysis based on the vulnerability data on this page.

Attribute Value
CVE CVE-2019-15107
Product Webmin
CWE CWE-78: OS Command Injection
CVSS v2 10.0 (AV:N/AC:L/Au:N/C:C/I:C/A:C)
CVSS v3.1 9.8 Critical (AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H)
EPSS 0.99766
KEV Yes (since 2022-03-25)
Exploited in EU Yes (since 2022-03-25)

Summary

CVE-2019-15107 is an unauthenticated OS command injection vulnerability in Webmin's password_change.cgi script. The old parameter fails to sanitize user input before passing it to a shell command, allowing remote attackers to execute arbitrary commands with root privileges without authentication.

Background

Webmin is a web-based system administration tool for Unix-like systems. The password_change.cgi endpoint is intended to allow users to change their passwords. In affected versions, this endpoint is accessible without prior authentication and passes user-supplied input directly into a shell command, creating a trivial remote command execution vector.

Root Cause

CWE-78: OS Command Injection. The old parameter in password_change.cgi is incorporated into a shell command without proper input validation or sanitization. An attacker can inject shell metacharacters (e.g., pipes |, semicolons ;, backticks, or $()) to append arbitrary commands to the intended operation. Because the Webmin service typically runs with root privileges, injected commands execute with full administrative rights.

Impact

This vulnerability is rated Critical with a CVSS v3.1 score of 9.8.

  • Attack Vector (AV): Network — Exploitable remotely over the internet.
  • Attack Complexity (AC): Low — No special conditions or bypasses required.
  • Privileges Required (PR): None — Fully unauthenticated.
  • User Interaction (UI): None — No victim interaction needed.
  • Scope (S): Unchanged — Impact remains within the vulnerable component.
  • Confidentiality (C): High — Full data access.
  • Integrity (I): High — Full system modification.
  • Availability (A): High — Full system disruption possible.

With an EPSS of 0.99766, this CVE sits in the 99.9th percentile of exploit probability, reflecting widespread, reliable exploitation.

Exploitation Walkthrough

Ethics Notice: The following description is provided for defensive purposes only. No weaponized exploit code is included. Organizations should use this knowledge to detect and prevent attacks, not to target systems without authorization.

An attacker sends a specially crafted HTTP request to /password_change.cgi on a vulnerable Webmin instance. The request includes the old parameter with embedded shell metacharacters. Because the endpoint processes this input inside a shell execution function, the attacker's appended commands run on the server. Successful exploitation typically results in an immediate root shell or remote code execution.

Defenders should monitor for:

  • Unexpected outbound connections from Webmin hosts.
  • Shell-related strings in old parameter values (pipes, backticks, $(), bash, nc, curl, wget).
  • Access logs showing POST /password_change.cgi with unusual body content.

Affected and Patched Versions

  • Affected: Webmin versions <= 1.920
  • Patched: Webmin 1.930 and later (per vendor security guidance)

If your exact patch version is uncertain, consult the Webmin security page or your package vendor.

Remediation

  1. Upgrade immediately. Apply the latest Webmin release from the official vendor or your OS package repository.
  2. Restrict access. If Webmin is not required externally, bind it to localhost or place it behind a VPN / administrative jump host. Block inbound access at the perimeter firewall.
  3. Compensating controls. Deploy a Web Application Firewall (WAF) rule to block shell metacharacters in parameters sent to password_change.cgi while patching is in progress.
  4. Review for compromise. Given the high EPSS and confirmed KEV status, assume any vulnerable instance exposed to the internet may have been compromised. Perform forensic review, rotate credentials, and inspect for persistence mechanisms.

Detection

  • Network: Monitor for POST requests to /password_change.cgi containing shell syntax in body parameters.
  • Host: Audit process creation events on Webmin servers for unexpected shells or reverse-network tools spawned by the Webmin process.
  • IDS/IPS: Use Suricata/Snort rules or WAF policies targeting known password_change.cgi exploitation patterns.

Assessment

CVE-2019-15107 is a textbook unauthenticated command injection with near-maximum severity scores and confirmed, widespread exploitation. Its inclusion in CISA's Known Exploited Vulnerabilities catalog and the EU vulnerability database underscores the real-world threat. The primary lessons are:

  1. Never pass user input to shell commands without strict validation. Use parameterized APIs or allow-list validation.
  2. Admin interfaces require defense in depth. Restrict network exposure, enforce MFA where possible, and monitor aggressively.

References

Frequently asked questions

What is CVE-2019-15107?
An issue was discovered in Webmin <=1.920. The parameter old in password_change.cgi contains a command injection vulnerability.
How severe is CVE-2019-15107?
CVE-2019-15107 has a CVSS 3.x base score of 9.8, rated critical severity. It is exploitable over network with low attack complexity, requires no privileges and no user interaction. Impact on confidentiality is high, integrity high, and availability high.
Is CVE-2019-15107 being actively exploited?
Yes. CVE-2019-15107 is on CISA's Known Exploited Vulnerabilities (KEV) catalog, added on 2022-03-25, which means active exploitation has been confirmed. It should be prioritised for remediation.
What products are affected by CVE-2019-15107?
CVE-2019-15107 affects Webmin. See the affected-products list for the exact vulnerable versions.
How do I fix CVE-2019-15107?
Review the linked vendor and NVD advisories for patched versions and mitigations, then upgrade or apply the recommended workaround. Because this CVE is known to be actively exploited, treat remediation as urgent — CISA KEV typically sets a short remediation deadline.
Does CVE-2019-15107 have an EU (EUVD) identifier?
Yes. CVE-2019-15107 is tracked in the ENISA EU Vulnerability Database (EUVD) as EUVD-2019-6178. It is also flagged as exploited in the EUVD (since 2022-03-25).
When was CVE-2019-15107 published?
CVE-2019-15107 was published on 2019-08-16 and last updated on 2026-06-17.

References

Affected products (1)

More vulnerabilities in Webmin

All CVEs affecting Webmin →

Other CWE-78 (OS Command Injection) vulnerabilities

Browse all CWE-78 (OS Command Injection) vulnerabilities →