We have been made aware of a remote exploit in Webmin 1.920 (latest) that would allow users to run arbitrary commands.
The function that is being exploited is related to the user password change that appears to be enabled by default. It is recommended that you disable that function and also temporarily disable password_change.cgi at the file system level until a patch has been released.
Please monitor the change log for updates:
At the time of writing this, no patch has been issued to our knowledge!