Description
Webmin version 1.890 was released with a backdoor that could allow anyone with knowledge of it to execute commands as root. Versions 1.900 to 1.920 also contained a backdoor using similar code, but it was not exploitable in a default Webmin install. Neither of these were accidental bugs - rather, the Webmin source code had been maliciously modified to add a non-obvious vulnerability.
Remediation
Upgrade to Webmin version 1.930 is strongly recommended. Alternately, if running versions 1.900 to 1.920, edit /etc/webmin/miniserv.conf, remove the passwd_mode= line, then run /etc/webmin/restart.
References
Related Vulnerabilities
Unauthenticated Remote Code Execution via JSONWS in Liferay 6.1 (LPS-88051)
WordPress Plugin Newsletter Subscription Form Possible Remote Code Execution (1.1.2)
WordPress Cookie Data PHP Code Injection Vulnerability (1.5 - 1.5.1.3)
Text4shell: Apache Commons Text RCE via insecure interpolation
Apache Solr Deserialization of untrusted data via jmx.serviceUrl