Critical Webmin Vulnerability Let Remote Attackers Escalate Privileges to Root-Level

Critical Webmin Vulnerability Let Remote Attackers Escalate Privileges to Root-Level

A critical security vulnerability in Webmin, a widely-used web-based system administration tool, has been discovered, allowing remote attackers to escalate privileges and execute code with root-level access.

Designated as CVE-2025-2774, this flaw poses severe risks to servers running affected versions of the software, potentially enabling full system compromise.

The flaw stems from a CRLF (Carriage Return Line Feed) injection vulnerability in Webmin’s handling of CGI requests. Attackers can exploit improper neutralization of CRLF sequences to manipulate server responses, bypass security controls, and execute arbitrary commands with root privileges. The vulnerability carries a CVSS score of 8.8 (High severity), reflecting its potential for widespread damage.

Google News

Vulnerability Details

  • Exploitation requirements: Remote attackers must authenticate to Webmin, but once logged in, they can escalate privileges to root.
  • Impact: Successful exploitation grants full control over the server, enabling configuration changes, malware installation, data theft, and service disruption.
  • Affected versions: Webmin installations prior to version 2.302, released on March 10, 2025.

Webmin developers have urged administrators to immediately update to version 2.302, including vulnerability fixes. The update also addresses minor regressions in MySQL/MariaDB permissions and improves reliability in module configuration saving.

  • Apply the patch via Webmin’s built-in update mechanism or manual installation.
  • Review system logs for unusual activity, particularly CGI request anomalies.
  • Restrict Webmin access to trusted networks and enforce strong authentication practices.

This vulnerability highlights persistent risks in widely deployed administrative tools. Webmin, with over 1 million annual installations, is a high-value target for attackers seeking to infiltrate enterprise networks.

The discovery follows a history of security issues in Webmin, including a 2024 privilege escalation flaw (CVE-2024-12828) and a 2021 backdoor incident.

Security researchers emphasize that CRLF injection flaws often stem from insufficient input validation, underscoring the need for rigorous code auditing in critical infrastructure tools.

As of May 5, 2025, no widespread exploitation has been reported, but the public disclosure timeline (February 28–May 1) suggests attackers may soon weaponize the flaw.

In a forum post, Webmin’s maintainer stated the 2.302 release “should be considered a high priority,” noting additional enhancements to SSH server management and firewall rule APIs. The patch also improves German translations and fixes HTML escaping in date fields.

Administrators are advised to monitor Webmin’s security page for future updates and adhere to least-privilege principles to minimize attack surfaces. With root access at stake, prompt action is critical to prevent large-scale breaches.



Source link