Back to KEVs

CVE-2019-15642

rpc.cgi in Webmin through 1.920 allows authenticated Remote Code Execution via a crafted object name because unserialise_variable makes an eval...

Basic Information

CVE State
PUBLISHED
Reserved Date
August 26, 2019
Published Date
August 26, 2019
Last Updated
August 05, 2024
Vendor
Webmin
Product
Webmin
Description
rpc.cgi in Webmin through 1.920 allows authenticated Remote Code Execution via a crafted object name because unserialise_variable makes an eval call. NOTE: the Webmin_Servers_Index documentation states "RPC can be used to run any command or modify any file on a server, which is why access to it must not be granted to un-trusted Webmin users."
Tags
nuclei_scanner

CVSS Scores

CVSS v3.0

8.8 - HIGH

Vector: CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H

CVSS v2.0

6.5

Vector: AV:N/AC:L/Au:S/C:P/I:P/A:P

EPSS Score

Score
92.02% (Percentile: 99.69%) as of 2025-07-29

Exploit Status

Exploited in the Wild
Yes (2025-07-05 00:00:00 UTC) Source

References

https://www.calypt.com/blog/index.php/authenticated-rce-on-webmin/ https://github.com/webmin/webmin/commit/df8a43fb4bdc9c858874f72773bcba597ae9432c https://github.com/webmin/webmin/blob/ab5e00e41ea1ecc1e24b8f8693f3495a0abb1aed/rpc.cgi#L26-L37 https://doxfer.webmin.com/Webmin/Webmin_Servers_Index

Known Exploited Vulnerability Information

Source Added Date
The Shadowserver (via CIRCL) 2025-07-06 12:00:44 UTC

Scanner Integrations

Scanner URL Date Detected
Nuclei https://github.com/projectdiscovery/nuclei-templates/blob/main/http/cves/2019/CVE-2019-15642.yaml 2025-04-26 00:00:00 UTC

Potential Proof of Concepts

Warning: These PoCs have not been tested and could contain malware. Use at your own risk.

jas502n/CVE-2019-15642

Type: github • Created: 2019-09-01 09:28:56 UTC • Stars: 32

Webmin Remote Code Execution (authenticated)

Timeline

  • CVE ID Reserved

  • CVE Published to Public

  • Detected by Nuclei

  • Added to KEVIntel