Webmin
aka MiniServ, Usermin
Perl-based web system-administration panel on 10000, running as root. Any code-execution bug is an instant root, and several versions have unauth or authenticated RCE.
Ports
| Port | Proto | Notes |
|---|---|---|
10000 | tcp | Webmin admin (HTTPS) |
20000 | tcp | Usermin (when present) |
Fingerprint
- Server: MiniServ httpd
- Version string in /etc/webmin/version
- Login page at https://<host>:10000/
Key files
| Path | Holds | Sensitive |
|---|---|---|
/etc/webmin/miniserv.users | admin usernames and password hashes | sensitive |
/etc/webmin/miniserv.conf | Webmin server config | sensitive |
/etc/webmin/version | exact Webmin version for CVE matching |
Default / weak creds
admin / (password chosen at install)
Service users
root (Webmin runs as root)
Known CVEs
| CVE | Impact |
|---|---|
| CVE-2019-15107 | Unauthenticated RCE via password_change.cgi (backdoored 1.890-1.920 builds) |
| CVE-2019-12840 | Authenticated command injection in the package update endpoint |
| CVE-2022-0824 | Post-auth RCE via Package Updates / file manager |
Exploitation primitives
- Webmin runs as root, so any RCE is immediate root with no further escalation
- Authenticated package-update injection: u parameter command injection, use ${IFS} for spaces
Overview
Webmin is a root-level system-administration GUI on 10000/tcp. Because the service itself runs as root, an authenticated (or in some builds unauthenticated) code-execution bug lands you straight at root.
Enumeration
Fingerprint the login over HTTPS:
curl -sk https://<TARGET>:10000/ | grep -i webminRead the exact version once you have any shell:
cat /etc/webmin/versionMatch the version against the CVE list. 1.890 to 1.920 may carry the CVE-2019-15107 backdoor; 1.910 is vulnerable to the authenticated CVE-2019-12840 injection.
Hardening
Keep Webmin patched, never expose 10000 publicly, and front it with an ACL or VPN.
Seen on these machines 1
