CVE-2019-15107

An issue was discovered in Webmin <=1.920. The parameter old in password_change.cgi contains a command injection vulnerability.

Basic Information

CVE State: PUBLISHED
Reserved Date: August 15, 2019
Published Date: August 16, 2019
Last Updated: July 30, 2025
Vendor: Webmin
Product: Webmin
Description: An issue was discovered in Webmin <=1.920. The parameter old in password_change.cgi contains a command injection vulnerability.
Tags

CVSS Scores

CVSS v3.1

9.8 - CRITICAL

Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

CVSS v2.0

10.0

Vector: AV:N/AC:L/Au:N/C:C/I:C/A:C

SSVC Information

Exploitation: active
Automatable: Yes
Technical Impact: total

Exploit Status

Exploited in the Wild: Yes (2025-04-29 00:00:00 UTC) Source
Proof of Concept Available: Yes (added 2021-10-10 09:05:55 UTC) Source

References

http://www.webmin.com/security.html https://www.exploit-db.com/exploits/47230 http://www.pentest.com.tr/exploits/DEFCON-Webmin-1920-Unauthenticated-Remote-Command-Execution.html http://packetstormsecurity.com/files/154141/Webmin-Remote-Comman-Execution.html http://packetstormsecurity.com/files/154141/Webmin-1.920-Remote-Command-Execution.html http://packetstormsecurity.com/files/154197/Webmin-1.920-password_change.cgi-Backdoor.html http://packetstormsecurity.com/files/154485/Webmin-1.920-Remote-Code-Execution.html https://attackerkb.com/topics/hxx3zmiCkR/webmin-password-change-cgi-command-injection

Known Exploited Vulnerability Information

Source	Added Date
CISA	2022-03-25 00:00:00 UTC

Scanner Integrations

Scanner	URL	Date Detected
Metasploit	https://github.com/rapid7/metasploit-framework/blob/master/modules/exploits/linux/http/webmin_backdoor.rb	2025-04-29 11:01:16 UTC
Nuclei	https://github.com/projectdiscovery/nuclei-templates/blob/main/http/cves/2019/CVE-2019-15107.yaml	2025-04-26 00:00:00 UTC

Potential Proof of Concepts

Warning: These PoCs have not been tested and could contain malware. Use at your own risk.

webmin_backdoor

Type: metasploit • Created: Unknown

Metasploit module for CVE-2019-15107

MasterCode112/CVE-2019-15107

Type: github • Created: 2024-12-19 08:52:03 UTC • Stars: 0

webmin or minisever RCE

grayorwhite/CVE-2019-15107

Type: github • Created: 2024-09-25 17:22:52 UTC • Stars: 0

CVE-2019-15107 webmin 취약점에 대해서 직접 서버를 구축하고 공격 결과를 남긴 정보입니다.

NasrallahBaadi/CVE-2019-15107

Type: github • Created: 2024-08-29 13:58:36 UTC • Stars: 0

CVE-2019-15107 Webmin unauthenticated RCE

olingo99/CVE-2019-15107

Type: github • Created: 2023-11-09 12:14:11 UTC • Stars: 0

h4ck0rman/CVE-2019-15107

Type: github • Created: 2023-08-19 05:41:39 UTC • Stars: 0

K3ysTr0K3R/CVE-2019-15107-EXPLOIT

Type: github • Created: 2023-05-08 00:25:37 UTC • Stars: 6

A PoC exploit for CVE-2019-15107 - Webmin Remote Code Execution

g1vi/CVE-2019-15107

Type: github • Created: 2023-03-31 20:56:39 UTC • Stars: 0

webmin <=1.920 - RCE via command injection vulnerability

wenruoya/CVE-2019-15107

Type: github • Created: 2023-03-09 14:43:29 UTC • Stars: 2

CVE-2019-15107 图形化测试程序

CyberTuz/CVE-2019-15107_detection

Type: github • Created: 2021-10-10 09:05:55 UTC • Stars: 0

whokilleddb/CVE-2019-15107

Type: github • Created: 2021-07-02 19:51:18 UTC • Stars: 3

CVE-2019-15107 Webmin Exploit in C

diegojuan/CVE-2019-15107

Type: github • Created: 2020-12-03 15:43:39 UTC • Stars: 0

MuirlandOracle/CVE-2019-15107

Type: github • Created: 2020-11-09 21:46:57 UTC • Stars: 48

ruthvikvegunta/CVE-2019-15107

Type: github • Created: 2020-08-08 10:17:03 UTC • Stars: 5

Webmin <=1.920 RCE

cdedmondson/Modified-CVE-2019-15107

Type: github • Created: 2020-06-20 19:03:03 UTC • Stars: 0

ianxtianxt/CVE-2019-15107

Type: github • Created: 2019-12-15 13:42:28 UTC • Stars: 0

AleWong/WebminRCE-EXP-CVE-2019-15107-

Type: github • Created: 2019-10-24 05:19:20 UTC • Stars: 3

Remote Code Execution Vulnerability in Webmin

AdministratorGithub/CVE-2019-15107

Type: github • Created: 2019-08-23 11:10:01 UTC • Stars: 3

CVE-2019-15107 webmin python3

ketlerd/CVE-2019-15107

Type: github • Created: 2019-08-22 12:07:16 UTC • Stars: 0

Implementation of CVE-2019-15107 exploit in python

jas502n/CVE-2019-15107

Type: github • Created: 2019-08-19 07:43:16 UTC • Stars: 63

CVE-2019-15107 Webmin RCE (unauthorized)

Timeline

CVE ID Reserved

August 15, 2019
CVE Published to Public

August 16, 2019
Proof of Concept Exploit Available

October 10, 2021
Added to KEVIntel

March 25, 2022
Detected by Nuclei

April 26, 2025
Detected by Metasploit

April 29, 2025