CVE-2025-61541 is a vulnerability identified in Webmin version 2.510, specifically within its password reset functionality implemented in the forgot_send.cgi script. The core issue is a Host Header Injection vulnerability, where the reset link sent to users is dynamically constructed using the HTTP Host header via the function get_webmin_email_url(). Because the Host header is user-controllable and not properly validated or sanitized, an attacker can supply a malicious Host header value when triggering a password reset. This manipulation causes the reset email to contain a link pointing to an attacker-controlled domain rather than the legitimate Webmin server. When a victim clicks this poisoned reset link, the attacker can intercept the reset token embedded in the URL. With this token, the attacker can reset the victim's password and gain full control over the victim's Webmin account, potentially compromising the underlying systems managed by Webmin. The vulnerability does not require prior authentication, increasing its risk profile. However, exploitation requires social engineering to convince the victim to click the malicious link. No patches or fixes have been published yet, and no exploits are known to be active in the wild. The vulnerability was reserved on 2025-09-26 and published on 2025-10-16, indicating recent discovery and disclosure. Webmin is widely used for Unix/Linux system administration via a web interface, making this vulnerability significant for organizations relying on it for server management. The lack of a CVSS score necessitates a severity assessment based on impact and exploitability factors.

The impact of CVE-2025-61541 on European organizations can be substantial, particularly for those relying on Webmin 2.510 for system administration. Successful exploitation allows attackers to hijack user accounts by intercepting password reset tokens, leading to full account takeover. This compromises confidentiality, as attackers gain access to sensitive system configurations and data. Integrity is affected because attackers can alter system settings, install backdoors, or create persistent access. Availability may also be impacted if attackers disrupt system operations or lock out legitimate administrators. The vulnerability's exploitation requires no authentication but does require user interaction, making phishing campaigns a likely attack vector. European organizations with exposed Webmin interfaces, especially in sectors like finance, government, healthcare, and critical infrastructure, face elevated risks. The ability to control administrative accounts could facilitate lateral movement within networks, data exfiltration, or deployment of ransomware. The absence of patches increases the window of exposure. Given the widespread use of Webmin in Europe and the critical nature of systems it manages, the potential operational and reputational damage is significant.

To mitigate CVE-2025-61541, organizations should implement several specific measures beyond generic advice: 1) Restrict access to Webmin interfaces using network-level controls such as VPNs, IP whitelisting, or firewall rules to limit exposure to trusted networks only. 2) Implement strict validation and filtering of HTTP Host headers at the web server or reverse proxy level to reject or sanitize suspicious header values before they reach Webmin. 3) Educate users and administrators about phishing risks, emphasizing caution when clicking password reset links and verifying URLs carefully. 4) Monitor logs for unusual password reset requests or Host header anomalies that may indicate exploitation attempts. 5) If possible, temporarily disable the password reset functionality or replace it with an out-of-band reset process until a patch is available. 6) Keep Webmin installations updated and subscribe to vendor advisories to apply patches promptly once released. 7) Employ multi-factor authentication (MFA) for Webmin accounts to reduce the impact of credential compromise. 8) Consider deploying web application firewalls (WAFs) with rules to detect and block Host header injection attempts. These targeted actions will reduce the attack surface and limit the potential for successful exploitation.