Login Sign Up

CVE-2020-35769

9.8 CRITICAL
Remote Code Execution

📋 TL;DR

CVE-2020-35769 is a critical vulnerability in Webmin's miniserv.pl CGI handler on Windows that allows remote code execution through improper handling of special characters in query arguments. Attackers can exploit this to execute arbitrary commands with the privileges of the Webmin service. This affects Webmin 1.962 installations running on Windows systems.

💻 Affected Systems

Products:
  • Webmin
Versions: 1.962
Operating Systems: Windows
Default Config Vulnerable: ⚠️ Yes
Notes: Only affects Windows installations of Webmin. Linux/Unix systems are not vulnerable to this specific issue.

📦 What is this software?

Webmin by Webmin

View all CVEs affecting Webmin →

⚠️ Risk & Real-World Impact

🔴

Worst Case

Complete system compromise allowing attackers to execute arbitrary commands, install malware, steal data, and pivot to other systems.

🟠

Likely Case

Remote code execution leading to web server compromise, data exfiltration, and potential lateral movement within the network.

🟢

If Mitigated

Limited impact if proper network segmentation and least privilege principles are implemented, though exploitation would still be possible.

🌐 Internet-Facing: HIGH - Webmin is often exposed to the internet for remote administration, making exploitation trivial for attackers.
🏢 Internal Only: HIGH - Even internally, this vulnerability can be exploited by any user with network access to the Webmin service.

🎯 Exploit Status

Public PoC: ⚠️ Yes
Weaponized: CONFIRMED
Unauthenticated Exploit: ⚠️ Yes
Complexity: LOW

Exploitation is straightforward with publicly available proof-of-concept code. No authentication required.

🛠️ Fix & Mitigation

✅ Official Fix

Patch Version: 1.962 and later (patched in commit 1163f3a7f418f249af64890f4636575e687e9de7)

Vendor Advisory: https://github.com/webmin/webmin/commit/1163f3a7f418f249af64890f4636575e687e9de7

Restart Required: Yes

Instructions:

1. Update Webmin to version 1.962 or later. 2. Restart the Webmin service. 3. Verify the patch is applied by checking the version.

🔧 Temporary Workarounds

Network Access Restriction

windows

Restrict network access to Webmin service using firewall rules

netsh advfirewall firewall add rule name="Block Webmin" dir=in action=block protocol=TCP localport=10000

Disable Webmin Service

windows

Temporarily disable Webmin service until patching can be completed

sc stop webmin
sc config webmin start= disabled

🧯 If You Can't Patch

  • Implement strict network segmentation to isolate Webmin servers from untrusted networks
  • Deploy web application firewall (WAF) rules to block malicious query patterns targeting CGI parameters

🔍 How to Verify

Check if Vulnerable:

Check Webmin version and operating system. If running Webmin 1.962 on Windows, the system is vulnerable.

Check Version:

webmin --version or check Webmin web interface at /sysinfo.cgi

Verify Fix Applied:

Verify Webmin version is 1.962 or later and check that the miniserv.pl file contains the fix from commit 1163f3a7f418f249af64890f4636575e687e9de7

📡 Detection & Monitoring

Log Indicators:

  • Unusual CGI parameter patterns in Webmin logs
  • Multiple failed or successful exploitation attempts in miniserv.pl logs
  • Suspicious command execution patterns

Network Indicators:

  • HTTP requests with special characters in query parameters to miniserv.pl
  • Unusual traffic patterns to Webmin port (default 10000)

SIEM Query:

source="webmin.log" AND ("miniserv.pl" OR "CGI") AND (special characters in query parameters)

📊 Metadata

CVE ID: CVE-2020-35769
CVSS v3 Score: 9.8 (CRITICAL)
CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
Published: December 29, 2020
Last Updated: November 21, 2024

🔗 References

📤 Share & Export

📄 Export Markdown 📋 Export JSON