CVE-2025-61541
📋 TL;DR
Webmin 2.510 has a Host Header Injection vulnerability in the password reset functionality that allows attackers to manipulate password reset emails. By injecting a malicious domain via the HTTP Host header, attackers can intercept reset tokens and gain full control of user accounts. This affects all Webmin 2.510 installations with password reset functionality enabled.
💻 Affected Systems
- Webmin
📦 What is this software?
Webmin by Webmin
⚠️ Risk & Real-World Impact
Worst Case
Full account takeover of any Webmin user, potentially leading to administrative access to the entire server if the compromised account has elevated privileges.
Likely Case
Account compromise of individual users who request password resets, allowing attackers to access that user's Webmin interface and perform actions within their permission scope.
If Mitigated
Limited impact if password reset functionality is disabled or if email verification processes catch the malicious links before users click them.
🎯 Exploit Status
Exploitation requires the attacker to intercept or predict when a victim will request a password reset and manipulate the Host header during that request.
🛠️ Fix & Mitigation
✅ Official Fix
Patch Version: 2.511 or later
Vendor Advisory: http://www.webmin.com/
Restart Required: No
Instructions:
1. Update Webmin to version 2.511 or later using the built-in update mechanism or package manager. 2. Verify the update completed successfully. 3. Test password reset functionality to ensure it works correctly.
🔧 Temporary Workarounds
Disable password reset functionality
linuxTemporarily disable the vulnerable password reset endpoint to prevent exploitation.
mv /usr/share/webmin/forgot_send.cgi /usr/share/webmin/forgot_send.cgi.disabled
Configure reverse proxy to validate Host headers
allConfigure web server or reverse proxy to validate and sanitize Host headers before they reach Webmin.
🧯 If You Can't Patch
- Disable password reset functionality entirely
- Implement network-level controls to block or monitor suspicious Host header manipulation
🔍 How to Verify
Check if Vulnerable:
Check Webmin version via web interface or command line. If version is exactly 2.510 and password reset is enabled, the system is vulnerable.Check Version:
cat /etc/webmin/versionVerify Fix Applied:
Verify Webmin version is 2.511 or later and test password reset functionality with manipulated Host headers to confirm they're rejected.📡 Detection & Monitoring
Log Indicators:
- Unusual Host header values in HTTP requests to forgot_send.cgi
- Multiple failed password reset attempts from same IP
Network Indicators:
- HTTP requests with manipulated Host headers
- Unusual domains in password reset email links
SIEM Query:
source="webmin" AND (uri="*forgot_send.cgi*" AND (host_header!="expected-domain.com" OR host_header="*malicious*"))