Login Sign Up

CVE-2020-35606

8.8 HIGH
Remote Code Execution

📋 TL;DR

This vulnerability allows authenticated users with Package Updates module access in Webmin to execute arbitrary commands with root privileges by injecting newline characters. It affects Webmin installations up to version 1.962 and exists due to incomplete fixes for CVE-2019-12840.

💻 Affected Systems

Products:
  • Webmin
Versions: Up to and including 1.962
Operating Systems: Linux, Unix variants
Default Config Vulnerable: ⚠️ Yes
Notes: Requires user authorization for Package Updates module; default installations may grant this to admin users.

📦 What is this software?

Webmin by Webmin

View all CVEs affecting Webmin →

⚠️ Risk & Real-World Impact

🔴

Worst Case

Complete system compromise with root-level command execution, leading to data theft, ransomware deployment, or persistent backdoor installation.

🟠

Likely Case

Privilege escalation leading to unauthorized administrative access, configuration changes, or lateral movement within the network.

🟢

If Mitigated

Limited impact if proper access controls restrict Package Updates module to trusted administrators only.

🌐 Internet-Facing: HIGH
🏢 Internal Only: HIGH

🎯 Exploit Status

Public PoC: ⚠️ Yes
Weaponized: CONFIRMED
Unauthenticated Exploit: ✅ No
Complexity: LOW

Exploit requires authenticated access; multiple public exploit scripts available.

🛠️ Fix & Mitigation

✅ Official Fix

Patch Version: 1.962 and later (check for specific security updates)

Vendor Advisory: https://www.webmin.com/download.html

Restart Required: No

Instructions:

1. Update Webmin to latest version via package manager or manual download. 2. Verify update applied successfully. 3. Review user permissions for Package Updates module.

🔧 Temporary Workarounds

Restrict Package Updates Module Access

linux

Remove Package Updates module permissions from non-essential users

Edit Webmin user permissions via Webmin UI or configuration files

Input Validation Enhancement

linux

Add input filtering for newline characters in Package Updates module

Modify /usr/share/webmin/package-updates/index.cgi to filter %0A and %0C

🧯 If You Can't Patch

  • Implement strict network segmentation to isolate Webmin instances
  • Enable detailed logging and monitoring for command execution attempts

🔍 How to Verify

Check if Vulnerable:

Check Webmin version via web interface or command: cat /etc/webmin/version

Check Version:

cat /etc/webmin/version

Verify Fix Applied:

Confirm version is above 1.962 and test Package Updates module functionality

📡 Detection & Monitoring

Log Indicators:

  • Unusual command execution in Webmin logs
  • Multiple failed authentication attempts followed by Package Updates access

Network Indicators:

  • HTTP requests containing %0A or %0C characters to Webmin endpoints

SIEM Query:

source="webmin" AND ("%0A" OR "%0C") AND "package-updates"

📊 Metadata

CVE ID: CVE-2020-35606
CVSS v3 Score: 8.8 (HIGH)
CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
CWE: CWE-78
Published: December 21, 2020
Last Updated: November 21, 2024

🔗 References

📤 Share & Export

📄 Export Markdown 📋 Export JSON

🔗 Related Vulnerabilities

If you're affected by CVE-2020-35606, you might also want to check these:

CVE-2023-2564 10.0

This CVE describes an OS command injection vulnerability in scanservjs web scanning software that al...

Same vulnerability type (CWE-78)
CVE-2024-58338 10.0

Anevia Flamingo XL 3.2.9 contains a restricted shell escape vulnerability that allows remote attacke...

Same vulnerability type (CWE-78)
CVE-2025-26389 10.0

This critical vulnerability allows unauthenticated remote attackers to execute arbitrary code with r...

Same vulnerability type (CWE-78)