Compliance Impact

The vulnerability allows authenticated users to execute arbitrary commands on connected remote hosts via the Termix File Manager SSH feature. This can lead to unauthorized data access, data theft, and manipulation of files, which may result in violations of data protection regulations such as GDPR and HIPAA that require strict controls over data confidentiality and integrity.

Because the vulnerability enables remote code execution with high impact on confidentiality, integrity, and availability, organizations using affected versions of Termix may face compliance risks if sensitive personal or health data is exposed or altered due to exploitation.

Useful 0 Not Useful 0

Executive Summary

CVE-2026-45744 is an OS command injection vulnerability in the Termix web-based server management platform, specifically in the GET /ssh/file_manager/ssh/resolvePath endpoint. This endpoint uses double-quote escaping when constructing shell commands, which does not prevent command substitution via $(...) or backticks. As a result, any authenticated user with an active File Manager SSH session can inject and execute arbitrary commands on the connected remote host.

The vulnerability arises because the path parameter is processed with decodeURIComponent() and only double quotes are escaped, but double-quoted strings in POSIX shells still interpret command substitution and other shell metacharacters. This inconsistent escaping allows attackers to run commands such as id, whoami, reading sensitive files like /etc/passwd, or even writing to the filesystem.

Useful 0 Not Useful 0

Impact Analysis

This vulnerability can have severe impacts because it allows authenticated users to execute arbitrary commands on any SSH host connected via Termix's File Manager. This can lead to full remote code execution on the target system.

• Data theft by reading sensitive files.
• File manipulation, including unauthorized modification or deletion.
• Further network compromise by using the affected host as a pivot point.

Useful 0 Not Useful 0

Detection Guidance

This vulnerability can be detected by testing the vulnerable endpoint /ssh/file_manager/ssh/resolvePath for OS command injection. Since the endpoint improperly escapes double quotes and allows command substitution via $(...) or backticks, you can attempt to inject commands to verify exploitation.

• Use an authenticated session with the File Manager SSH feature in Termix.
• Send crafted GET requests to the /ssh/file_manager/ssh/resolvePath endpoint with payloads containing command substitution, such as: $(id), $(whoami), or backtick-enclosed commands like `cat /etc/passwd`.
• Example command to test via curl (replace placeholders accordingly):
• curl -G --cookie "<auth_cookie>" --data-urlencode "path=$(id)" https://<termix-server>/ssh/file_manager/ssh/resolvePath

If the response includes output from the injected command (e.g., user id information), the vulnerability is present.

Useful 0 Not Useful 0

Mitigation Strategies

The immediate mitigation step is to upgrade Termix to version 2.3.2 or later, where the vulnerability is patched.

If upgrading is not immediately possible, restrict access to the Termix File Manager SSH feature to trusted users only, as exploitation requires authenticated access.

Avoid using the vulnerable endpoint or disable the File Manager SSH feature temporarily if feasible.

Long-term fixes involve replacing the double-quote escaping with single-quote escaping or avoiding shell command construction by using safer alternatives like SFTP's realpath() function.

Useful 0 Not Useful 0