CVE-2015-2079 – This vulnerability allows remote attackers to e... (How to Fix)

📋 TL;DR

This vulnerability allows remote attackers to execute arbitrary code on Usermin servers by exploiting improper input validation in the uconfig_save.cgi script. The issue stems from using the two-argument form of Perl's open() function, which doesn't properly sanitize user input. All Usermin installations from version 0.980 through 1.659 are affected.

💻 Affected Systems

Products:

Usermin

Versions: 0.980 through 1.659

Operating Systems: All platforms running Usermin

Default Config Vulnerable: ⚠️ Yes

Notes: All default installations within the affected version range are vulnerable. Usermin is often installed alongside Webmin.

📦 What is this software?

Usermin by Webmin

View all CVEs affecting Usermin →

⚠️ Risk & Real-World Impact

🔴

Worst Case

Full system compromise with attacker gaining root privileges, data exfiltration, and persistent backdoor installation.

🟠

Likely Case

Remote code execution with the privileges of the Usermin process, potentially leading to web server compromise and lateral movement.

🟢

If Mitigated

Limited impact if proper network segmentation and least privilege principles are applied, though RCE would still be possible.

🌐 Internet-Facing: HIGH - Usermin is typically web-accessible and the exploit requires no authentication.

🏢 Internal Only: HIGH - Even internally, this provides a significant attack vector for lateral movement.

🎯 Exploit Status

Public PoC: ⚠️ Yes

Weaponized: CONFIRMED

Unauthenticated Exploit: ⚠️ Yes

Complexity: LOW

Public exploit code is available and the vulnerability is trivial to exploit with basic web request manipulation.

🛠️ Fix & Mitigation

✅ Official Fix

Patch Version: 1.660 and later

Vendor Advisory: http://www.webmin.com/security.html

Restart Required: No

Instructions:

1. Download Usermin 1.660 or later from http://www.webmin.com/download.html
2. Stop Usermin service
3. Install the update
4. Start Usermin service

🔧 Temporary Workarounds

Disable vulnerable CGI script

linux

Temporarily disable or remove the uconfig_save.cgi script to prevent exploitation

mv /usr/share/usermin/uconfig_save.cgi /usr/share/usermin/uconfig_save.cgi.disabled

Network access control

linux

Restrict access to Usermin web interface using firewall rules

iptables -A INPUT -p tcp --dport 20000 -s trusted_ip -j ACCEPT
iptables -A INPUT -p tcp --dport 20000 -j DROP

🧯 If You Can't Patch

Implement strict network segmentation to isolate Usermin servers from critical systems
Deploy web application firewall (WAF) rules to block exploitation attempts targeting the vulnerable endpoint

🔍 How to Verify

Check if Vulnerable:

Check Usermin version via web interface or configuration files. Versions 0.980 through 1.659 are vulnerable.

Check Version:

grep version= /etc/usermin/miniserv.conf | cut -d= -f2

Verify Fix Applied:

Verify Usermin version is 1.660 or higher and test that uconfig_save.cgi no longer accepts malicious input.

📡 Detection & Monitoring

Log Indicators:

Unusual POST requests to /uconfig_save.cgi
Suspicious command execution patterns in system logs
Multiple failed exploitation attempts

Network Indicators:

HTTP requests to uconfig_save.cgi with pipe characters or shell metacharacters in parameters
Unusual outbound connections from Usermin server

SIEM Query:

source="usermin_access.log" AND uri="/uconfig_save.cgi" AND (param="|*" OR param="*|")

📊 Metadata

CVE ID: CVE-2015-2079

CVSS v3 Score: 9.9 (CRITICAL)

CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H

CWE: CWE-96

EPSS Score: 1.05% exploit probability (77.2th percentile)

Published: April 28, 2025

Last Updated: May 14, 2025

🔗 References

https://code-white.com/blog/2015-05-cve-2015-2079-rce-usermin/ Exploit
https://code-white.com/public-vulnerability-list/ Third Party Advisory

📤 Share & Export

📄 Export Markdown 📋 Export JSON

🔗 Related Vulnerabilities

If you're affected by CVE-2015-2079, you might also want to check these: