Webmin Backdoor found one year after Hackers released it

webmin cover

A backdoor was recently recognized in the Webmin system. The Webmin backdoor was injected by a Turkish hacker named Özkan Mustafa Akkuş. The backdoor was present in the system from over one year. The hacker somehow managed to insert the backdoor into the build infrastructure of Webmin and the backdoor was still there after various versions updates.

Webmin is the most popular (3 million downloads per year) open-source web-based program that is used for the organization of Unix based systems including OpenBSD, FreeBSD, and Linux. It has a self-explanatory and user-friendly interface that is used to manage the databases, users, firewalls, backups, Qmail, Postfix, Send mail any a lot more.

How was the flaw uncovered

The hacker who injected the Webmin backdoor uncovered the vulnerability and showed a zero-day RCE (Remote-code-execution) vulnerability in their system at DefCon on the 10th of August, and he doesn’t give any notice to the project developers.

Joe Cooper, who is one of the project developers at Webmin, said:

webmin backdoor notification

The hacker did not uncover the flaw publicly, but he also launched a Metasploit exploit for this vulnerability that can be used to automate the whole process of using the flaw.


The Webmin backdoor can allow the attacker to run arbitrary commands on the system using Webmin, not only this, but it can also be used to compromise the systems that are managed from the Webmin.

Actual Vulnerability

As stated by the researcher, the vulnerability was present on the password reset page that allowed the hacker to run malicious codes with the root access granted. The system was compromised by just adding a simple pipe code (“ | “) in the old password section with the help of POST requests.

webmin backdoor overview

The vulnerability is given a report number CVE-2019-15107.

Joe Cooper emphasized that the password expiration feature is not enabled on Webmin by default. The administrators themselves have to enable that feature. It means that most versions are not affected by this flaw, and the users who changed the configuration are vulnerable.


The project developers at Webmin have precisely removed the Webmin backdoor for their system. They have released their new updated and patched versions including Usermin v1.780 and Webmin v1.930.

Webmin developers also fixed some other issues in their latest version such as cross-site-scripting (XSS) bugs that were reported by a different security researcher and that researcher was also rewarded with a bug bounty prize.

Webmin Administrators are now recommended to update their versions to prevent any mishap.

Tell us what you think!

This site uses Akismet to reduce spam. Learn how your comment data is processed.

%d bloggers like this: