Executive Summary

CVE-2026-45748 is a critical remote code execution vulnerability in the Termix web-based server management platform, specifically affecting versions 2.1.0 and earlier.

The vulnerability exists in the POST /ssh/tunnel/connect endpoint, where user-controlled fields such as endpointIP, endpointUsername, and password are directly inserted into a shell command without proper escaping.

This improper handling allows attackers to inject malicious OS commands that execute on the source SSH host without requiring any privileges.

The vulnerability is persistent because the malicious payload is reapplied automatically on every Termix process restart due to auto-start tunnels.

Useful 0 Not Useful 0

Impact Analysis

This vulnerability can have severe impacts including full compromise of the affected system.

• Attackers can execute arbitrary OS commands remotely on the source SSH host.
• Confidentiality, integrity, and availability of the system are all highly impacted.
• Because the injected commands persist across restarts, attackers can maintain long-term access.
• No privileges or user interaction are required, making exploitation straightforward and low complexity.

Useful 0 Not Useful 0

Detection Guidance

This vulnerability can be detected by checking for the presence of malicious host records that contain command injection payloads in the Termix configuration or logs. Since the vulnerability involves user-controlled fields (endpointIP, endpointUsername, password) being interpolated directly into shell commands, suspicious entries or unusual commands executed by Termix processes may indicate exploitation.

A practical detection method is to inspect the Termix process activity and configuration files for injected commands or unexpected file writes, especially those triggered by the POST /ssh/tunnel/connect endpoint.

Suggested commands to help detect exploitation include:

• Review Termix logs for suspicious POST requests to /ssh/tunnel/connect.
• Use process monitoring tools (e.g., ps, top) to identify unexpected ssh or sshpass commands spawned by Termix.
• Search configuration or host record files for unusual characters or shell metacharacters in endpointIP, endpointUsername, or password fields, for example:
• grep -E '[;&|`$()]' /path/to/termix/config
• Check for unexpected files created by injected commands, e.g., using find or ls commands in directories where Termix runs.

Useful 0 Not Useful 0

Mitigation Strategies

The immediate mitigation step is to upgrade Termix to version 2.3.2 or later, where this vulnerability has been patched.

If upgrading is not immediately possible, avoid using the vulnerable POST /ssh/tunnel/connect endpoint or disable features that allow user-controlled host record creation or modification.

Additionally, avoid assembling shell commands from user input. Instead, use safer APIs such as ssh2's forwardOut/forwardIn methods rather than spawning ssh or sshpass commands.

Finally, review and remove any suspicious host records that may contain injected commands to prevent persistent exploitation on Termix process restarts.

Useful 0 Not Useful 0

Compliance Impact

CVE-2026-45748 is a critical remote code execution vulnerability that allows attackers to execute arbitrary commands on the source SSH host without privileges. This can lead to unauthorized access, data breaches, and potential manipulation or destruction of sensitive data.

Such impacts on confidentiality, integrity, and availability of data can result in non-compliance with common standards and regulations like GDPR and HIPAA, which require protection of personal and sensitive information against unauthorized access and breaches.

Therefore, if exploited, this vulnerability could cause organizations using affected versions of Termix to violate these regulations due to compromised data security controls.

Useful 0 Not Useful 0