To exploit the malicious code, your Webmin installation must have Webmin ->
Webmin Configuration -> Authentication -> Password expiry policy set to
Prompt users with expired passwords to enter a new one. This option is not
set by default, but if it is set, it allows remote code execution.