CVE-2006-3392

NUCLEI

Usermin < 1.220 - Arbitrary File Read via Path Traversal with URL-Encoded Bypass

Title source: llm
STIX 2.1

Exploitation Summary

EIP tracks 10 public exploits for CVE-2006-3392. PoCs published by UmZ, joffer, IvanGlinkin, including Metasploit module auxiliary/admin/webmin/file_disclosure. A Nuclei detection template is also available.

AI-analyzed exploit summary This exploit leverages a directory traversal vulnerability in Webmin and Usermin versions prior to 1.29x to disclose arbitrary files. It constructs a malicious URL with encoded traversal sequences to bypass authentication and retrieve file contents via HTTP/HTTPS.

Description

Webmin before 1.290 and Usermin before 1.220 calls the simplify_path function before decoding HTML, which allows remote attackers to read arbitrary files, as demonstrated using "..%01" sequences, which bypass the removal of "../" sequences before bytes such as "%01" are removed from the filename. NOTE: This is a different issue than CVE-2006-3274.

Exploits (10)

exploitdb WORKING POC VERIFIED
by UmZ · perlremotemultiple
https://www.exploit-db.com/exploits/2017

This exploit leverages a directory traversal vulnerability in Webmin and Usermin versions prior to 1.29x to disclose arbitrary files. It constructs a malicious URL with encoded traversal sequences to bypass authentication and retrieve file contents via HTTP/HTTPS.

Classification
Working Poc 95%
Attack Type
Info Leak
Complexity
Trivial
Reliability
Reliable
Target: Webmin and Usermin < 1.29x
No auth needed
Prerequisites: LWP::Simple and LWP::UserAgent Perl modules · Network access to the target Webmin/Usermin instance
devstral-2 · analyzed Feb 16, 2026 Full analysis →
exploitdb WORKING POC VERIFIED
by joffer · phpremotemultiple
https://www.exploit-db.com/exploits/1997

This exploit leverages a directory traversal vulnerability in Webmin/Usermin (CVE-2006-3392) to disclose arbitrary files by manipulating the URL path with encoded traversal sequences. It uses cURL to fetch the target file and outputs its contents.

Classification
Working Poc 95%
Attack Type
Info Leak
Complexity
Trivial
Reliability
Reliable
Target: Webmin/Usermin < 1.290
No auth needed
Prerequisites: Network access to the Webmin/Usermin interface · Knowledge of the target file path
devstral-2 · analyzed Feb 16, 2026 Full analysis →
nomisec WORKING POC 14 stars
by IvanGlinkin · poc
https://github.com/IvanGlinkin/CVE-2006-3392

This repository contains a functional bash script that exploits CVE-2006-3392, an arbitrary file disclosure vulnerability in Webmin < 1.290 and Usermin < 1.220. The script uses a directory traversal technique with URL-encoded null bytes to read arbitrary files from the target system.

Classification
Working Poc 95%
Attack Type
Info Leak
Complexity
Trivial
Reliability
Reliable
Target: Webmin < 1.290 / Usermin < 1.220
No auth needed
Prerequisites: Target system running vulnerable Webmin/Usermin · Network access to the target system
devstral-2 · analyzed Feb 18, 2026 Full analysis →
nomisec WORKING POC 3 stars
by brosck · poc
https://github.com/brosck/CVE-2006-3392

The repository contains a functional Python exploit for CVE-2006-3392, which leverages a directory traversal vulnerability in Webmin/Usermin by using '..%01' sequences to bypass path sanitization and read arbitrary files. The PoC demonstrates file reading via crafted HTTP requests.

Classification
Working Poc 95%
Attack Type
Info Leak
Complexity
Trivial
Reliability
Reliable
Target: Webmin < 1.290, Usermin < 1.220
No auth needed
Prerequisites: Network access to vulnerable Webmin/Usermin instance
devstral-2 · analyzed Feb 18, 2026 Full analysis →
nomisec WORKING POC 1 stars
by g1vi · poc
https://github.com/g1vi/CVE-2006-3392

The repository contains a functional exploit script for CVE-2006-3392, which leverages a path traversal vulnerability in Webmin/Usermin due to improper handling of URL-encoded sequences like '..%01'. The exploit uses a crafted URL to disclose arbitrary files from the target system.

Classification
Working Poc 95%
Attack Type
Info Leak
Complexity
Trivial
Reliability
Reliable
Target: Webmin < 1.290, Usermin < 1.220
No auth needed
Prerequisites: Target must be running vulnerable Webmin/Usermin · Network access to the target
devstral-2 · analyzed Feb 18, 2026 Full analysis →
nomisec WORKING POC 1 stars
by 0xtz · poc
https://github.com/0xtz/CVE-2006-3392

This Python script exploits CVE-2006-3392, an arbitrary file disclosure vulnerability in Webmin/Usermin. It constructs a URL with a path traversal payload ('/.%01' repeated 40 times) to bypass authentication and read arbitrary files from the server.

Classification
Working Poc 95%
Attack Type
Info Leak
Complexity
Trivial
Reliability
Reliable
Target: Webmin < 1.290 / Usermin < 1.220
No auth needed
Prerequisites: Target server running vulnerable Webmin/Usermin · Network access to the target
devstral-2 · analyzed Feb 18, 2026 Full analysis →
nomisec WORKING POC
by gb21oc · poc
https://github.com/gb21oc/ExploitWebmin

The repository contains a functional Python exploit for CVE-2006-3392, a directory traversal vulnerability in Webmin. The exploit constructs a malicious URL with a payload of '..%01/' repeated 12 times to bypass authentication and access arbitrary files on the target system.

Classification
Working Poc 95%
Attack Type
Info Leak
Complexity
Trivial
Reliability
Reliable
Target: Webmin (versions affected by CVE-2006-3392)
No auth needed
Prerequisites: Target Webmin instance vulnerable to CVE-2006-3392 · Network access to the target
devstral-2 · analyzed Feb 18, 2026 Full analysis →
nomisec WORKING POC
by kernel-cyber · poc
https://github.com/kernel-cyber/CVE-2006-3392

The repository contains a functional exploit for CVE-2006-3392, targeting Webmin and Usermin versions before 1.290 and 1.220, respectively. The exploit leverages a path traversal vulnerability by using encoded sequences (e.g., '..%01') to bypass path simplification and read arbitrary files.

Classification
Working Poc 95%
Attack Type
Info Leak
Complexity
Trivial
Reliability
Reliable
Target: Webmin < 1.290, Usermin < 1.220
No auth needed
Prerequisites: Network access to the target Webmin/Usermin instance
devstral-2 · analyzed Feb 18, 2026 Full analysis →
nomisec WORKING POC
by Adel-kaka-dz · poc
https://github.com/Adel-kaka-dz/CVE-2006-3392

The repository contains a functional Python script that exploits CVE-2006-3392, a directory traversal vulnerability in Webmin/Usermin, allowing arbitrary file disclosure via a crafted HTTP request with path traversal sequences.

Classification
Working Poc 90%
Attack Type
Info Leak
Complexity
Trivial
Reliability
Reliable
Target: Webmin < 1.290 / Usermin < 1.220
No auth needed
Prerequisites: Network access to the target Webmin/Usermin instance · Target running a vulnerable version of Webmin/Usermin
devstral-2 · analyzed Feb 18, 2026 Full analysis →
metasploit WORKING POC
rubypoc
https://github.com/rapid7/metasploit-framework/blob/master/modules/auxiliary/admin/webmin/file_disclosure.rb

This Metasploit auxiliary module exploits a directory traversal vulnerability in Webmin and Usermin to disclose arbitrary file contents without authentication. It constructs a malicious URI with encoded traversal sequences to bypass access controls.

Classification
Working Poc 95%
Attack Type
Info Leak
Complexity
Trivial
Reliability
Reliable
Target: Webmin (versions prior to 1.290) and Usermin (versions prior to 1.220)
No auth needed
Prerequisites: Network access to the Webmin/Usermin service (default port 10000) · Knowledge of the target file path
devstral-2 · analyzed Feb 16, 2026 Full analysis →

Nuclei Templates (1)

Webmin < 1.290 / Usermin < 1.220 - Arbitrary File Disclosure
MEDIUMby s4e-io
Shodan: http.title:"webmin"
FOFA: title="webmin"

References (18)

Core 18
Core References
Patch, Vendor Advisory third-party-advisory x_refsource_secunia
http://secunia.com/advisories/21365
Third Party Advisory vendor-advisory x_refsource_gentoo
http://security.gentoo.org/glsa/glsa-200608-11.xml
Various Sources x_refsource_confirm
http://www.webmin.com/changes.html
Third Party Advisory, VDB Entry mailing-list x_refsource_bugtraq
http://www.securityfocus.com/archive/1/440125/100/0/threaded
Vendor Advisory third-party-advisory x_refsource_secunia
http://secunia.com/advisories/21105
Third Party Advisory, VDB Entry vdb-entry x_refsource_bid
http://www.securityfocus.com/bid/18744
Third Party Advisory, VDB Entry mailing-list x_refsource_bugtraq
http://www.securityfocus.com/archive/1/440493/100/0/threaded
Third Party Advisory, VDB Entry mailing-list x_refsource_bugtraq
http://www.securityfocus.com/archive/1/440466/100/0/threaded
US Government Resource third-party-advisory x_refsource_cert-vn
http://www.kb.cert.org/vuls/id/999601
Third Party Advisory vendor-advisory x_refsource_debian
http://www.debian.org/security/2006/dsa-1199
Various Sources mailing-list x_refsource_vim
http://attrition.org/pipermail/vim/2006-June/000912.html
Patch, Vendor Advisory third-party-advisory x_refsource_secunia
http://secunia.com/advisories/20892
Vendor Advisory vendor-advisory x_refsource_mandriva
http://www.mandriva.com/security/advisories?name=MDKSA-2006:125
Vendor Advisory vdb-entry x_refsource_vupen
http://www.vupen.com/english/advisories/2006/2612
Third Party Advisory, VDB Entry mailing-list x_refsource_bugtraq
http://www.securityfocus.com/archive/1/439653/100/0/threaded
Patch vdb-entry x_refsource_osvdb
http://www.osvdb.org/26772
Vendor Advisory third-party-advisory x_refsource_secunia
http://secunia.com/advisories/22556
Various Sources mailing-list x_refsource_vim
http://attrition.org/pipermail/vim/2006-July/000923.html

Scores

EPSS 0.8694
EPSS Percentile 99.5%

Details

Status published
Products (2)
usermin/usermin < 1.210
webmin/webmin < 1.2.80
Published Jul 06, 2006
Tracked Since Feb 18, 2026