Server Admin Tool: Webmin's 2FA bypassable
Webmin is vulnerable to several security flaws. In addition to 2FA, root attacks are also possible. The developers have now released security patches.
(Image: Artur Szczybylo/Shutterstock.com)
The admin tool for Unix servers, Webmin, is vulnerable. Attackers can bypass two-factor authentication (2FA), among other things. However, root attacks are also conceivable. Repaired versions are available for download.
Unauthorized Access
A threat level classification for the 2FA vulnerability (CVE-2026-42210) is apparently still pending. The CERT Bund emergency team at the BSI rates the danger as “critical” overall in a post.
In the security section of the Webmin website, the developers state that attackers can bypass 2FA via basic HTTP authentication. However, for a successful attack, attackers must know the username and password. In this case, only the one-time code of the 2FA is omitted.
According to the developers, the root vulnerability is in the tool's integrated help pages. How such an attack could proceed in detail is currently unclear. If an attack is successful, attackers should be able to access instances as root users. In such a position, it can be assumed that attackers will gain full control over systems. Because servers are managed remotely with the tool, such an attack can have far-reaching consequences.
Videos by heise
The third vulnerability, now closed, affects the Squid module. In this area, root attacks are also conceivable in the context of the installed Squid cache manager. Here, too, it is currently unknown how an attack could proceed. So far, there are no reports from the developers that attackers are already exploiting the security vulnerabilities
Install Update
Admins should ensure that they have installed at least Webmin version 2.640, which is equipped with security patches. Version 2.641 is currently current.
Version Webmin 2.600 from last November brought a completely revised user interface.
(des)
