Severity by source
CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Network-reachable miniserv.pl with no auth or user interaction (AV:N/PR:N/UI:N); AC:H because target must be configured for SSL client-cert auth, a non-default precondition; full admin compromise yields C/I/A:H.
Primary rating from Vendor (cisa-cg).
CVSS VectorVendor: cisa-cg
CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Lifecycle Timeline
8DescriptionCVE.org
The Webmin HTTP server (miniserv.pl) allows unauthenticated attackers to impersonate any user with a configured SSL client certificate by sending a forged HTTP header. A remote attacker can spoof certificate DNs and authenticate as any user. Fixed in 2.641.
AnalysisAI
Authentication bypass in Webmin's miniserv.pl HTTP server (versions prior to 2.641) allows remote unauthenticated attackers to impersonate any user, including root/admin, by sending a forged HTTP header that spoofs an SSL client certificate Distinguished Name. The flaw maps to CWE-290 (Authentication Bypass by Spoofing) and is rated CVSS 4.0 9.2 (Critical); a vendor-released fix exists in 2.641, but no public exploit is identified at time of analysis and the issue is not currently listed in CISA KEV.
Unlock full vulnerability intelligence
- Risk assessment & exploitation conditions
- Attack chain visualization
- Remediation with exact patch versions
- Threat intelligence from 22 sources
- Personal watchlist & email alerts
Free forever · No credit card required
Attack ChainAIDerived
Hypothetical attack flow derived from CVE metadata
Vulnerability AssessmentAI
| Exploitation | Target must be running Webmin prior to 2.641 with SSL client-certificate authentication enabled in miniserv.pl - this is a non-default authentication mode that an administrator must explicitly configure, and it is the AT:P (Attack Requirements: Present) factor in the CVSS 4.0 vector. … Additional conditions and limiting factors are described in the full assessment. |
| Risk Assessment | Signals largely agree that this is a high-priority issue: CVSS 4.0 9.2 with AV:N/AC:L/PR:N/UI:N reflects a network-reachable, unauthenticated, low-complexity bypass against the admin plane of a privileged management product, with full confidentiality, integrity, and availability impact on the vulnerable system. … Full risk analysis with EPSS, KEV, and SSVC signal comparison available after sign-in. |
| Exploit Scenario | A Webmin instance is reachable on the internet (port 10000/tcp) and configured to accept SSL client-certificate authentication for administrative SSO. An attacker connects over HTTPS and injects an HTTP header carrying a forged Distinguished Name matching the root or an existing admin user (e.g., 'CN=root,OU=Admins'); miniserv.pl trusts the header value rather than the TLS-validated peer certificate and grants a session as that user, yielding full Webmin admin control and, by extension, root-equivalent command execution on the underlying host. … |
| Remediation | Vendor-released patch: upgrade to Webmin 2.641 or later, available at https://github.com/webmin/webmin/releases/tag/2.641 with vendor notes at https://webmin.com/security/#webmin-prior-to-2641. … Detailed patch versions, workarounds, and compensating controls in full report. |
Recommended ActionAI
Within 24 hours: Identify all systems running Webmin versions prior to 2.641 and restrict network access to the Webmin interface where operationally feasible. …
Sign in for detailed remediation steps and compensating controls.
Threat intelligence, references, and detailed analysis are available after sign-in.
MFA bypass in Webmin prior to 2.641 enables remote attackers holding valid credentials to circumvent multi-factor authen
Unauthenticated remote file disclosure in Webmin (all versions prior to 2.641) exposes the contents of any .conf file re
Stored cross-site scripting in Webmin before 2.641 allows low-privileged authenticated attackers to inject arbitrary Jav
Same weakness CWE-290 – Authentication Bypass by Spoofing
View allSame technique Authentication Bypass
View allShare
External POC / Exploit Code
Leaving vuln.today
EUVD-2026-37909
GHSA-23xj-gfh3-wf2h