![New Apple iPad mini 7 On Sale for $399! [Lowest Price Ever]](https://www.iclarified.com/images/news/96096/96096/96096-640.jpg)
![Apple Developing Battery Case for iPhone 17 Air Amid Battery Life Concerns [Report]](https://www.iclarified.com/images/news/97208/97208/97208-640.jpg)
![Apple to Split iPhone Launches Across Fall and Spring in Major Shakeup [Report]](https://www.iclarified.com/images/news/97211/97211/97211-640.jpg)
![Apple to Move Camera to Top Left, Hide Face ID Under Display in iPhone 18 Pro Redesign [Report]](https://www.iclarified.com/images/news/97212/97212/97212-640.jpg)
![The Material 3 Expressive redesign of Google Clock leaks out [Gallery]](https://i0.wp.com/9to5google.com/wp-content/uploads/sites/4/2024/03/Google-Clock-v2.jpg?resize=1200%2C628&quality=82&strip=all&ssl=1)
![What Google Messages features are rolling out [May 2025]](https://i0.wp.com/9to5google.com/wp-content/uploads/sites/4/2023/12/google-messages-name-cover.png?resize=1200%2C628&quality=82&strip=all&ssl=1)
_Inge_Johnsson-Alamy.jpg?width=1280&auto=webp&quality=80&disable=upscale#)
![[The AI Show Episode 145]: OpenAI Releases o3 and o4-mini, AI Is Causing “Quiet Layoffs,” Executive Order on Youth AI Education & GPT-4o’s Controversial Update](https://www.marketingaiinstitute.com/hubfs/ep%20145%20cover.png)
![Re-designing a Git/development workflow with best practices [closed]](https://i.postimg.cc/tRvBYcrt/branching-example.jpg)
![From Art School Drop-out to Microsoft Engineer with Shashi Lo [Podcast #170]](https://cdn.hashnode.com/res/hashnode/image/upload/v1746203291209/439bf16b-c820-4fe8-b69e-94d80533b2df.png?#)
![[DEALS] Microsoft 365: 1-Year Subscription (Family/Up to 6 Users) (23% off) & Other Deals Up To 98% Off – Offers End Soon!](https://www.javacodegeeks.com/wp-content/uploads/2012/12/jcg-logo.jpg){kind=logo}
Critical Webmin Vulnerability Let Remote Attackers Escalate Privileges to Root-Level
A critical security vulnerability in Webmin, a widely-used web-based system administration tool, has been discovered, allowing remote attackers to escalate privileges and execute code with root-level access. Designated as CVE-2025-2774, this flaw poses severe risks to servers running affected versions of the software, potentially enabling full system compromise. The flaw stems from a CRLF (Carriage […] The post Critical Webmin Vulnerability Let Remote Attackers Escalate Privileges to Root-Level appeared first on Cyber Security News.
A critical security vulnerability in Webmin, a widely-used web-based system administration tool, has been discovered, allowing remote attackers to escalate privileges and execute code with root-level access.
Designated as CVE-2025-2774, this flaw poses severe risks to servers running affected versions of the software, potentially enabling full system compromise.
The flaw stems from a CRLF (Carriage Return Line Feed) injection vulnerability in Webmin’s handling of CGI requests. Attackers can exploit improper neutralization of CRLF sequences to manipulate server responses, bypass security controls, and execute arbitrary commands with root privileges. The vulnerability carries a CVSS score of 8.8 (High severity), reflecting its potential for widespread damage.
Vulnerability Details
- Exploitation requirements: Remote attackers must authenticate to Webmin, but once logged in, they can escalate privileges to root.
- Impact: Successful exploitation grants full control over the server, enabling configuration changes, malware installation, data theft, and service disruption.
- Affected versions: Webmin installations prior to version 2.302, released on March 10, 2025.
Webmin developers have urged administrators to immediately update to version 2.302, including vulnerability fixes. The update also addresses minor regressions in MySQL/MariaDB permissions and improves reliability in module configuration saving.
- Apply the patch via Webmin’s built-in update mechanism or manual installation.
- Review system logs for unusual activity, particularly CGI request anomalies.
- Restrict Webmin access to trusted networks and enforce strong authentication practices.
This vulnerability highlights persistent risks in widely deployed administrative tools. Webmin, with over 1 million annual installations, is a high-value target for attackers seeking to infiltrate enterprise networks.
The discovery follows a history of security issues in Webmin, including a 2024 privilege escalation flaw (CVE-2024-12828) and a 2021 backdoor incident.
Security researchers emphasize that CRLF injection flaws often stem from insufficient input validation, underscoring the need for rigorous code auditing in critical infrastructure tools.
As of May 5, 2025, no widespread exploitation has been reported, but the public disclosure timeline (February 28–May 1) suggests attackers may soon weaponize the flaw.
In a forum post, Webmin’s maintainer stated the 2.302 release “should be considered a high priority,” noting additional enhancements to SSH server management and firewall rule APIs. The patch also improves German translations and fixes HTML escaping in date fields.
Administrators are advised to monitor Webmin’s security page for future updates and adhere to least-privilege principles to minimize attack surfaces. With root access at stake, prompt action is critical to prevent large-scale breaches.
The post Critical Webmin Vulnerability Let Remote Attackers Escalate Privileges to Root-Level appeared first on Cyber Security News.
