Skip to content
PortsDB

Port reference

Port 10000 (TCP) – Webmin

Default web port for Webmin, the browser-based Unix/Linux system administration panel.

tcpRegisteredCommonly attacked

Default state

Open on servers running Webmin, often exposed to the internet for remote administration.

Common attacks

  • Pre-auth remote code execution via the CVE-2019-15107 password_change backdoor
  • Credential brute force and password spraying against the login
  • Exploiting other Webmin RCE/auth bugs to gain root
  • Information disclosure and abuse of admin functions once logged in

CVE-2019-15107

Hardening

  • Update Webmin to a fixed release; the 2019 backdoor affected specific versions
  • Never expose 10000 to the internet — restrict to VPN/bastion and allowlisted IPs
  • Disable the password-change feature unless required
  • Enforce strong credentials, MFA, and rate limiting/lockout
  • Serve only over HTTPS and keep Webmin patched

nmap snippet

nmap -p10000 --script http-title,http-headers,http-webmin-info <target>

Replace <target> with the host or range you're authorized to scan.

What runs on port 10000?

Port 10000 is the default web port for Webmin, a browser-based control panel for administering Unix and Linux servers — managing users, packages, services, firewall rules, cron jobs, and more. It runs as a privileged web application, typically reachable at https://host:10000/, and effectively grants root-level control of the host.

Why it matters for security

Because Webmin operates with root privileges, a compromise of port 10000 usually means full server takeover. It is widely exposed to the internet for convenience, which makes it a prime target. The panel has a notable history of serious bugs — most infamously a pre-auth RCE backdoor, CVE-2019-15107, shipped in specific releases — and its login is a constant brute-force magnet.

How it's attacked

The standout exploit is CVE-2019-15107: a backdoor in the password_change.cgi feature let an unauthenticated attacker run commands as root on 10000. Beyond that, bots brute-force and password-spray the login, and other Webmin auth/RCE flaws are chained to gain root. Once in, an attacker abuses the admin functions to add users, alter services, and persist.

Hardening checklist

Update Webmin to a fixed release — the 2019 backdoor affected specific versions — and never expose 10000 directly; restrict it to a VPN or bastion with allowlisted IPs. Disable the password-change feature if unused, enforce strong credentials, MFA, and rate limiting/lockout, and serve only over HTTPS. Keep Webmin patched. The nmap snippet above fingerprints the panel on systems you are authorized to test.

Related ports

Port 20000Port 22Port 443Port 8080

Frequently asked questions

What is CVE-2019-15107 in Webmin?
A pre-authentication remote code execution backdoor introduced into certain Webmin builds via the password_change.cgi feature. An unauthenticated attacker could run commands as root on port 10000. Update to a fixed version.
Is it safe to expose Webmin on port 10000 to the internet?
No. Webmin is a root-level admin panel and a frequent exploit and brute-force target. Restrict it to a VPN or bastion, allowlist source IPs, enforce MFA, and keep it patched.