Critical Backdoor Vulnerability Found in Webmin, Exposing Millions of Users to Risk
A significant security breach has emerged in the popular open-source web-based system for Unix management, Webmin, following the disclosure of a critical zero-day vulnerability last week. The maintainers of Webmin have confirmed that the flaw was not a result of coding errors, but rather an intentional backdoor implanted by an unknown attacker within its build infrastructure. This backdoor inadvertently persisted across multiple versions of the software, specifically from 1.882 to 1.921, leading to a year-long exposure for users.
Webmin is widely used, with over 3 million downloads annually, primarily for managing various Unix-based systems, including Linux, FreeBSD, and OpenBSD. The application features a user-friendly interface for operations related to user management, databases, mail servers, backups, firewalls, and more. Given its popularity, the backdoor’s implications are serious for the thousands of organizations leveraging this crucial software.
The vulnerability in question, identified as CVE-2019-15107, was first highlighted by Turkish security researcher Özkan Mustafa Akkuş during a presentation at the DefCon conference on August 10. Akkuş did not alert project maintainers prior to revealing the flaw, a move criticized by Webmin developers as unethical. As Joe Cooper, a developer for Webmin, pointed out, “We received no advance notification, which is unusual and unethical…in such cases there’s nothing we can do but fix it ASAP.”
In addition to publicizing the flaw, Akkuş also released a Metasploit module that automates exploitation through the Metasploit framework, further complicating the issue for those relying on the software. The vulnerability exists in a newly implemented password expiration feature designed to enforce security policies, allowing remote attackers to execute arbitrary commands with root privileges via manipulated POST requests.
Cooper further clarified that the flawed feature is not enabled by default, meaning that most Webmin installations remain secure unless the password expiry policy is manually activated. However, subsequent findings indicate that version 1.890’s default configuration may have been altered to enable this feature unexpectedly, potentially placing more users in jeopardy.
Last year, a suspicious change in the Webmin source code caught the attention of an administrator, but developers overlooked the manipulation as the result of an internal error, failing to recognize the malicious intent behind the modifications. Presently, Shodan scans reveal over 218,000 instances of Webmin exposed to the internet, with more than 13,000 instances running the vulnerable version 1.890.
In response to this significant security incident, the Webmin team has released clean versions—Webmin 1.930 and Usermin 1.780—removing the backdoor and rectifying other incidental vulnerabilities, including cross-site scripting flaws disclosed by another researcher. Consequently, Webmin administrators are strongly advised to update their systems to safeguard against impending risks.
This incident raises crucial concerns regarding software integrity and the security of open-source platforms. As cyber threats continue to evolve, maintaining vigilance and implementing robust cybersecurity practices remain critical for organizations worldwide. The tactics employed in this attack may encompass initial access through compromised build processes, persistence via malicious code injection, and privilege escalation to gain administrative access to affected systems, aligning with the MITRE ATT&CK framework’s categorization of advanced adversary tactics.