Login Sign Up

CVE-2022-0824

8.8 HIGH
Remote Code Execution Authentication Bypass

📋 TL;DR

This vulnerability in Webmin allows attackers to bypass access controls and execute arbitrary code remotely on affected systems. It affects Webmin installations prior to version 1.990, potentially compromising the entire server.

💻 Affected Systems

Products:
  • Webmin
Versions: All versions prior to 1.990
Operating Systems: Linux, Unix-like systems
Default Config Vulnerable: ⚠️ Yes
Notes: Affects the File Manager module specifically; requires Webmin to be running and accessible.

📦 What is this software?

Webmin by Webmin

View all CVEs affecting Webmin →

⚠️ Risk & Real-World Impact

🔴

Worst Case

Full system compromise with root-level access, data theft, lateral movement, and persistent backdoor installation.

🟠

Likely Case

Unauthorized file system access, privilege escalation, and remote code execution leading to service disruption.

🟢

If Mitigated

Limited impact if proper network segmentation and least privilege access are enforced.

🌐 Internet-Facing: HIGH - Webmin is often exposed to the internet for remote administration.
🏢 Internal Only: MEDIUM - Internal attackers could exploit this if they gain network access.

🎯 Exploit Status

Public PoC: ⚠️ Yes
Weaponized: CONFIRMED
Unauthenticated Exploit: ✅ No
Complexity: LOW

Exploits require authentication but bypass access controls; multiple public exploit scripts exist.

🛠️ Fix & Mitigation

✅ Official Fix

Patch Version: 1.990 and later

Vendor Advisory: https://github.com/webmin/webmin/commit/39ea464f0c40b325decd6a5bfb7833fa4a142e38

Restart Required: No

Instructions:

1. Update Webmin to version 1.990 or later via the built-in update module or package manager. 2. Verify the update completed successfully. 3. Restart Webmin service if not automatic.

🔧 Temporary Workarounds

Disable File Manager module

linux

Temporarily disable the vulnerable File Manager module to prevent exploitation.

sudo /usr/share/webmin/disable-module.pl filemin

Restrict network access

linux

Limit Webmin access to trusted IP addresses only using firewall rules.

sudo iptables -A INPUT -p tcp --dport 10000 -s TRUSTED_IP -j ACCEPT
sudo iptables -A INPUT -p tcp --dport 10000 -j DROP

🧯 If You Can't Patch

  • Implement strict network ACLs to allow only trusted sources to access Webmin.
  • Monitor Webmin logs for unauthorized access attempts and file modification activities.

🔍 How to Verify

Check if Vulnerable:

Check Webmin version via web interface or command: cat /etc/webmin/version

Check Version:

cat /etc/webmin/version

Verify Fix Applied:

Confirm version is 1.990 or higher and test File Manager access controls.

📡 Detection & Monitoring

Log Indicators:

  • Unauthorized file operations in /var/webmin/filemin/ logs
  • Suspicious command execution via File Manager

Network Indicators:

  • Unexpected connections to Webmin port 10000
  • POST requests to filemin endpoints with malicious payloads

SIEM Query:

source="webmin.log" AND ("filemin" OR "unauthorized access")

📊 Metadata

CVE ID: CVE-2022-0824
CVSS v3 Score: 8.8 (HIGH)
CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
CWE: CWE-284
Published: March 2, 2022
Last Updated: November 21, 2024

🔗 References

📤 Share & Export

📄 Export Markdown 📋 Export JSON

🔗 Related Vulnerabilities

If you're affected by CVE-2022-0824, you might also want to check these:

CVE-2021-34795 10.0

This critical vulnerability in Cisco Catalyst PON Series Switches ONT web management interface allow...

Same vulnerability type (CWE-284)
CVE-2021-40113 10.0

Multiple vulnerabilities in Cisco Catalyst PON Series Switches ONT web management interface allow un...

Same vulnerability type (CWE-284)
CVE-2026-21636 10.0

A critical vulnerability in Node.js v25's experimental permission model allows attacker-controlled i...

Same vulnerability type (CWE-284)