Vulnerability detail
Enriched intelligence for a single CVE
Critical
CVE-2019-15107
PUBLISHEDAn issue was discovered in Webmin <=1.920. The parameter old in password_change.cgi contains a command injection vulnerability.
- Vendor
- Webmin
- Product
- Webmin
- Published
- Aug 16, 2019
- EPSS
- 94.5% · 100% pctl
Description
An issue was discovered in Webmin <=1.920. The parameter old in password_change.cgi contains a command injection vulnerability.
CVSS scores
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
AV:N/AC:L/Au:N/C:C/I:C/A:C
SSVC decision points
- Exploitation
- active
- Automatable
- Yes
- Technical impact
- total
References
- http://www.webmin.com/security.html
- https://www.exploit-db.com/exploits/47230
- http://www.pentest.com.tr/exploits/DEFCON-Webmin-1920-Unauthenticated-Remote-Command-Execution.html
- http://packetstormsecurity.com/files/154141/Webmin-Remote-Comman-Execution.html
- http://packetstormsecurity.com/files/154141/Webmin-1.920-Remote-Command-Execution.html
- http://packetstormsecurity.com/files/154197/Webmin-1.920-password_change.cgi-Backdoor.html
- http://packetstormsecurity.com/files/154485/Webmin-1.920-Remote-Code-Execution.html
- https://attackerkb.com/topics/hxx3zmiCkR/webmin-password-change-cgi-command-injection
Known exploited vulnerability sources
Catalogues that list this CVE as a known exploited vulnerability.
| Source | Added |
|---|---|
| CISA | Mar 25, 2022 |
| The Shadowserver (via CIRCL) | Jun 01, 2026 |
Scanner integrations
| Scanner | Reference | Detected |
|---|---|---|
| Metasploit | https://github.com/rapid7/metasploit-framework/blob/master/modules/exploits/linux/http/webmin_backdoor.rb | Apr 28, 2025 |
| Nuclei | https://github.com/projectdiscovery/nuclei-templates/blob/main/http/cves/2019/CVE-2019-15107.yaml | Apr 25, 2025 |
Potential proof of concepts
These PoCs are unverified and could contain malware. Use at your own risk.
github · Created 2024-12-19 08:52:03 UTC · 0 stars
webmin or minisever RCE
github · Created 2024-09-25 17:22:52 UTC · 0 stars
CVE-2019-15107 webmin 취약점에 대해서 직접 서버를 구축하고 공격 결과를 남긴 정보입니다.
github · Created 2024-08-29 13:58:36 UTC · 0 stars
CVE-2019-15107 Webmin unauthenticated RCE
github · Created 2023-11-09 12:14:11 UTC · 0 stars
github · Created 2023-08-19 05:41:39 UTC · 0 stars
github · Created 2023-05-08 00:25:37 UTC · 6 stars
A PoC exploit for CVE-2019-15107 - Webmin Remote Code Execution
github · Created 2023-03-31 20:56:39 UTC · 0 stars
webmin <=1.920 - RCE via command injection vulnerability
github · Created 2021-10-10 09:05:55 UTC · 0 stars
github · Created 2021-10-05 18:02:13 UTC · 0 stars
Exploit para CVE-2019-15107 (Webmin 1.890-1.920) sin credenciales RCE escrito en PYTHON.
github · Created 2021-09-09 16:26:40 UTC · 0 stars
Something I wrote for CVE-2019-15107, a Webmin backdoor
github · Created 2021-07-02 19:51:18 UTC · 3 stars
CVE-2019-15107 Webmin Exploit in C
github · Created 2020-12-03 15:43:39 UTC · 0 stars
github · Created 2020-11-09 21:46:57 UTC · 48 stars
github · Created 2019-12-15 13:42:28 UTC · 0 stars
github · Created 2019-10-24 05:19:20 UTC · 3 stars
Remote Code Execution Vulnerability in Webmin
github · Created 2019-08-23 11:10:01 UTC · 3 stars
CVE-2019-15107 webmin python3
github · Created 2019-08-22 12:07:16 UTC · 0 stars
Implementation of CVE-2019-15107 exploit in python
github · Created 2019-08-19 07:43:16 UTC · 63 stars
CVE-2019-15107 Webmin RCE (unauthorized)
Timeline
-
CVE ID Reserved
-
CVE Published to Public
-
Added to KEVIntel
-
Detected by Nuclei
-
Detected by Metasploit
-
Added to KEVIntel
-
Exploit Used in Malware