CVE-2024-12828

HIGH

Webmin - OS Command Injection

Title source: rule

Description

Webmin CGI Command Injection Remote Code Execution Vulnerability. This vulnerability allows remote attackers to execute arbitrary code on affected installations of Webmin. Authentication is required to exploit this vulnerability. The specific flaw exists within the handling of CGI requests. The issue results from the lack of proper validation of a user-supplied string before using it to execute a system call. An attacker can leverage this vulnerability to execute code in the context of root. Was ZDI-CAN-22346.

Exploits (1)

nomisec WORKING POC

by fanjm2025-jeremy · poc

https://github.com/fanjm2025-jeremy/CVE-2024-12828-PoC

View Code ZIP pw:eip

References (2)

[Third Party Advisory] https://www.zerodayinitiative.com/advisories/ZDI-24-1725/

[Patch] https://github.com/webmin/authentic-theme/commit/61e5b10227b50407e3c6ac494ffbd4385d1b59df

Scores

CVSS v3 8.8

EPSS 0.2172

EPSS Percentile 95.8%

Attack Vector NETWORK

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H

CISA SSVC

Vulnrichment

Exploitation none

Automatable no

Technical Impact total

Details

CWE

CWE-78

Status published

Products (1)

webmin/webmin 2.104

Published Dec 30, 2024

Tracked Since Feb 18, 2026