CVE-2025-49091
BaseFortify
Publication date: 2025-06-11
Last updated on: 2025-06-18
Assigner: MITRE
Description
Description
CVSS Scores
EPSS Scores
| Probability: | |
| Percentile: |
Meta Information
Affected Vendors & Products
Helpful Resources
Exploitability
| CWE ID | Description |
|---|---|
| CWE-670 | The code contains a control flow path that does not reflect the algorithm that the path is intended to implement, leading to incorrect behavior any time this path is navigated. |
Attack-Flow Graph
AI Powered Q&A
Can you explain this vulnerability to me?
CVE-2025-49091 is a remote code execution vulnerability in KDE's Konsole terminal emulator versions before 25.04.2. Konsole supports URL scheme handlers like ssh://, telnet://, and rlogin://. When a user clicks such a URL, Konsole tries to run the corresponding client (ssh, telnet, or rlogin). However, if the required client is not installed, Konsole falls back to executing /bin/bash with the URL argument as a script. This fallback allows an attacker to execute arbitrary code remotely by tricking a user into opening a malicious URL that triggers this behavior. The vulnerability can be exploited via social engineering, for example, by convincing a user to open a telnet:// URL from a malicious website, which then causes Konsole to run attacker-controlled scripts. [1, 3, 4]
How can this vulnerability impact me? :
This vulnerability can allow an attacker to execute arbitrary code on your system remotely if you use a vulnerable version of Konsole and are tricked into opening a malicious URL with a telnet://, ssh://, or rlogin:// scheme. The attacker can run malicious scripts without needing the telnet, ssh, or rlogin clients installed, potentially leading to system compromise, data theft, or unauthorized actions. The attack requires user interaction, such as accepting a browser prompt to open the URL. Systems with default KDE Plasma Desktop installations missing these clients are particularly at risk. [1, 3, 4]
How can this vulnerability be detected on my network or system? Can you suggest some commands?
This vulnerability can be detected by checking if your system has a vulnerable version of Konsole installed (prior to 25.04.2) and if the KTelnetService URL scheme handlers (telnet://, rlogin://, ssh://) are registered, particularly if the telnet, rlogin, or ssh clients are missing. You can check the Konsole version by running `konsole --version`. To verify if the KTelnetService handler file exists, check for `/usr/share/applications/ktelnetservice6.desktop`. Additionally, monitor for suspicious usage of these URL schemes or unexpected execution of /bin/bash triggered by such URLs. A practical detection command example is to check for the presence of the handler file and the absence of telnet, rlogin, or ssh binaries: `ls /usr/share/applications/ktelnetservice6.desktop && ! command -v telnet && ! command -v rlogin && ! command -v ssh`. Also, review browser or system logs for attempts to open telnet:// or similar URLs. Since the vulnerability involves user interaction via browser prompts, monitoring user acceptance of such prompts can help detect exploitation attempts. [1, 3, 4]
What immediate steps should I take to mitigate this vulnerability?
Immediate mitigation steps include upgrading Konsole to version 25.04.2 or later, which contains the fix that prevents arbitrary code execution by clearing command arguments if the protocol command is missing. If upgrading is not immediately possible, you can either install the telnet client (or the missing protocol clients ssh, rlogin) to prevent fallback to bash execution, or delete the file `/usr/share/applications/ktelnetservice6.desktop` to disable the KTelnetService URL scheme handlers. These steps prevent Konsole from executing arbitrary code when handling telnet://, ssh://, or rlogin:// URLs. Additionally, educate users to be cautious about accepting browser prompts to open such URL schemes to reduce social engineering risks. [1, 3, 4]