Executive Summary

CVE-2026-45749 is a high-severity vulnerability in Termix, a web-based server management platform. The vulnerability exists in the endpoints `/users/totp/disable` and `/users/totp/backup-codes` in Termix versions 2.1.0 and earlier. These endpoints accept only the account password as authentication for critical multi-factor authentication (MFA) operations.

An attacker who obtains a user's password through phishing, credential stuffing, or other means can disable Time-based One-Time Password (TOTP) two-factor authentication entirely or regenerate backup codes without needing the actual TOTP device or a valid TOTP code. This effectively bypasses or disables two-factor authentication, reducing account security to single-factor authentication.

The issue was fixed in Termix version 2.3.2 by requiring both the password and a valid TOTP or backup code for these operations.

Useful 0 Not Useful 0

Impact Analysis

This vulnerability can have serious security impacts by allowing attackers who have obtained a user's password to bypass two-factor authentication protections.

• Attackers can disable TOTP-based two-factor authentication entirely.
• Attackers can regenerate backup codes without possessing the TOTP device or valid codes.
• Accounts protected by TOTP are effectively downgraded to single-factor authentication, increasing the risk of unauthorized access.

This can lead to full account compromise, unauthorized access to server management functions, and potential further exploitation of the affected systems.

Useful 0 Not Useful 0

Detection Guidance

Detection of this vulnerability involves monitoring for unauthorized or suspicious use of the `/users/totp/disable` and `/users/totp/backup-codes` endpoints in Termix versions 2.1.0 and earlier.

Specifically, look for POST requests to these endpoints that only provide a password without a valid TOTP code, which indicates exploitation attempts.

Commands to detect such activity could include inspecting web server logs or using network monitoring tools to filter HTTP POST requests to these endpoints.

• Use grep or similar tools to search logs for POST requests to `/users/totp/disable` or `/users/totp/backup-codes` endpoints.
• Example command: `grep 'POST /users/totp/disable' /var/log/termix/access.log`
• Example command: `grep 'POST /users/totp/backup-codes' /var/log/termix/access.log`

Additionally, monitoring for unusual account activity or multiple MFA disable attempts without corresponding TOTP verification can help identify exploitation.

Useful 0 Not Useful 0

Mitigation Strategies

The immediate mitigation step is to upgrade Termix to version 2.3.2 or later, where this vulnerability has been patched.

Version 2.3.2 changes the authentication requirements for the `/users/totp/disable` and `/users/totp/backup-codes` endpoints to require both the account password and a valid TOTP or backup code, preventing attackers from bypassing two-factor authentication.

Until the upgrade can be applied, consider monitoring and restricting access to these endpoints, enforcing strong password policies, and educating users about phishing and credential stuffing risks.

Useful 0 Not Useful 0

Compliance Impact

This vulnerability allows attackers to bypass two-factor authentication by using only the account password to disable TOTP or regenerate backup codes. This effectively reduces the security of user accounts from multi-factor to single-factor authentication.

Such a reduction in authentication security can lead to unauthorized access to sensitive data, which may violate common standards and regulations like GDPR and HIPAA that require strong access controls and protection of personal or health information.

Therefore, the vulnerability could negatively impact compliance by weakening authentication mechanisms that are critical for protecting sensitive data and ensuring secure user access.

Useful 0 Not Useful 0