A backdoor mechanism was found in Webmin, a popular web-based application used by system administrators to manage remote Unix-based systems, such as Linux, FreeBSD, or OpenBSD servers
The backdoor mechanism would allow a remote attacker to execute malicious commands with root privileges on the machine running Webmin. Once this machine is compromised, an attacker could then use it to launch attacks on the systems managed through Webmin.
Webmin version 1.930 was released yesterday, August 18, to remove the backdoor mechanism.
The good news is that Webmin, in default installs, does not ship with the password expiration feature enabled by default. Webmin admins must make modifications to the Webmin config file to enable the password expiration feature for Webmin accounts, meaning most Webmin installations are most likely safe from exploitation attempts.