Webmin released a critical update for a 0-day exploit this week. This exploit creates a backdoor for unauthenticated, remote execution of malicious code on Webmin servers.
- This vulnerability appears in software versions 1.890, 1.900 to 1.920.
- Software versions 1.900 to 1.920 are not exploitable in a default installation.
- “Prompt users with expired passwords to enter a new one” must be selected within the Webmin configuration settings for software versions 1.900 to 1.920 to be exploitable.
Webmin software version 1.930 fixes this vulnerability. Vivio systems are configured to receive software updates automatically by default.
We recommend verifying that your system is up-to-date. If you receive updates automatically a reboot may be necessary for the new software update to be applied.
For systems that are not configured to receive Webmin updates automatically, we recommend patching this software immediately.
If you have any questions about this vulnerability and your specific services here at Vivio, please let us know!