Cyber Resilience

CVE-2019-15107

CriticalCISA KEVActive ExploitationEUVD ExploitedPublic PoCRansomware-linkedRCE

Published: 16 August 2019

Published
16 August 2019
Modified
06 November 2025
KEV Added
25 March 2022
Patch
CVSS Score v3.1 9.8 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
EPSS Score 0.9446 100.0th percentile
Risk Priority 96 60% EPSS · 20% KEV · 20% CVSS

Summary

CVE-2019-15107 is a critical-severity OS Command Injection (CWE-78) vulnerability in Webmin Webmin. Its CVSS base score is 9.8 (Critical).

Operationally, ranked in the top 0.0% of CVEs by exploit likelihood; CISA has added it to the Known Exploited Vulnerabilities catalog; a public proof-of-concept is referenced.

The strongest mitigations our analysis identified are NIST 800-53 SI-10 (Information Input Validation) and SI-2 (Flaw Remediation).

Deeper analysis

CVE-2019-15107 is a command injection vulnerability (CWE-78) affecting Webmin versions up to and including 1.920. The flaw resides in the "old" parameter of the password_change.cgi script, which fails to properly sanitize input before passing it to a system command.

The vulnerability can be exploited remotely by unauthenticated attackers over the network. Successful exploitation grants full control over the affected system, allowing arbitrary command execution with impacts to confidentiality, integrity, and availability, as reflected in its CVSS 3.1 base score of 9.8.

Public exploit code for this issue has been disclosed on multiple platforms, including detailed remote code execution and backdoor variants targeting the unauthenticated password change endpoint. No official patch or mitigation details are provided in the available references.

EU & UK References

Vulnerability details

An issue was discovered in Webmin <=1.920. The parameter old in password_change.cgi contains a command injection vulnerability.

CWE(s)
KEV Date Added
25 March 2022

Related Threats

No named actor attribution yet. ATT&CK technique mapping in progress for this CVE.

Affected Assets

webmin
webmin
≤ 1.920

Mitigating Controls

Mitigating Controls (NIST 800-53 r5) AI

prevent

Directly requires validation and sanitization of untrusted input such as the 'old' parameter before it is passed to system commands, blocking the CWE-78 injection.

prevent

Mandates prompt installation of patches or updates that eliminate the unauthenticated command-injection flaw in password_change.cgi.

prevent

Enforces authentication and authorization checks on the password_change.cgi endpoint so that unauthenticated remote attackers cannot reach the vulnerable parameter.

References