CVE-2021-32159 – This CSRF vulnerability in Webmin 1.973 allows ... (How to Fix)

Q: What is the severity of CVE-2021-32159?

CVE-2021-32159 has a CVSS score of 8.8 (HIGH). This CSRF vulnerability in Webmin 1.973 allows attackers to trick authenticated administrators into performing unauthorized file uploads or downloads via the Upload and Download feature. Attackers can upload malicious files or download sensitive data without the admin's knowledge. All Webmin 1.973 installations with the Upload and Download feature enabled are affected.

📋 TL;DR

This CSRF vulnerability in Webmin 1.973 allows attackers to trick authenticated administrators into performing unauthorized file uploads or downloads via the Upload and Download feature. Attackers can upload malicious files or download sensitive data without the admin's knowledge. All Webmin 1.973 installations with the Upload and Download feature enabled are affected.

💻 Affected Systems

Products:

Webmin

Versions: Version 1.973

Operating Systems: All platforms running Webmin

Default Config Vulnerable: ⚠️ Yes

Notes: Requires the Upload and Download feature to be accessible and an authenticated admin session.

📦 What is this software?

Webmin by Webmin

View all CVEs affecting Webmin →

⚠️ Risk & Real-World Impact

🔴

Worst Case

Complete system compromise via malicious file upload leading to remote code execution, data exfiltration, or backdoor installation.

🟠

Likely Case

Unauthorized file upload/download leading to data theft, malware deployment, or configuration changes.

🟢

If Mitigated

Limited impact with proper CSRF protections, network segmentation, and least privilege access controls.

🌐 Internet-Facing: HIGH - Webmin is typically exposed to the internet for remote administration, making it directly accessible to attackers.

🏢 Internal Only: MEDIUM - Internal attackers could still exploit this if they can trick authenticated admins, but requires more sophisticated social engineering.

🎯 Exploit Status

Public PoC: ⚠️ Yes

Weaponized: LIKELY

Unauthenticated Exploit: ✅ No

Complexity: LOW

Exploitation requires tricking an authenticated admin into visiting a malicious page. Public PoC exists on GitHub.

🛠️ Fix & Mitigation

✅ Official Fix

Patch Version: Webmin 1.974 and later

Vendor Advisory: https://www.webmin.com/security.html

Restart Required: No

Instructions:

1. Backup current configuration. 2. Update Webmin to version 1.974 or later via package manager or manual installation. 3. Verify the update completed successfully.

🔧 Temporary Workarounds

Disable Upload and Download Feature

linux

Temporarily disable the vulnerable feature until patching is possible

Edit Webmin configuration to remove or restrict access to the Upload and Download module

Implement CSRF Tokens

all

Add CSRF protection to Webmin forms if custom modifications are possible

🧯 If You Can't Patch

Implement strict network access controls to limit Webmin access to trusted IPs only
Use browser extensions that block CSRF attacks and enforce same-origin policies

🔍 How to Verify

Check if Vulnerable:

Check Webmin version via web interface or command line: grep 'version=' /etc/webmin/miniserv.conf

Check Version:

grep 'version=' /etc/webmin/miniserv.conf

Verify Fix Applied:

Verify Webmin version is 1.974 or higher and test CSRF protection on Upload/Download forms

📡 Detection & Monitoring

Log Indicators:

Unusual file uploads/downloads in Webmin logs
Multiple failed CSRF token validations
Suspicious admin activity patterns

Network Indicators:

CSRF attack patterns in web traffic
Unexpected file transfers from Webmin interface

SIEM Query:

source="webmin" AND (event="file_upload" OR event="file_download") AND user="admin" AND NOT src_ip IN [trusted_ips]

📊 Metadata

CVE ID: CVE-2021-32159

CVSS v3 Score: 8.8 (HIGH)

CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H

CWE: CWE-352

Published: April 11, 2022

Last Updated: November 21, 2024

🔗 References

https://github.com/Mesh3l911/CVE-2021-32159 Exploit,Third Party Advisory
https://github.com/Mesh3l911/CVE-2021-32159 Exploit,Third Party Advisory

📤 Share & Export

📄 Export Markdown 📋 Export JSON

🔗 Related Vulnerabilities

If you're affected by CVE-2021-32159, you might also want to check these: