Skip to main content
A Leader in the 2026 Gartner® Magic Quadrant™ for Endpoint Protection. Six years running.Find Out Why
CVE Vulnerability Database
Vulnerability Database/CVE-2026-45744

CVE-2026-45744: Termix Server Management RCE Vulnerability

CVE-2026-45744 is a remote code execution flaw in Termix server management platform that allows authenticated users to execute arbitrary commands via command injection. This article covers technical details, affected versions, and mitigation.

Published:

CVE-2026-45744 Overview

CVE-2026-45744 is an OS command injection vulnerability in Termix, a web-based server management platform offering SSH terminal, tunneling, and file editing functionality. Versions prior to 2.3.2 ship a vulnerable GET /ssh/file_manager/ssh/resolvePath endpoint that constructs shell commands using double-quote escaping. This escaping fails to neutralize $(...) and backtick command substitution sequences. Any authenticated user with an active File Manager SSH session can inject shell metacharacters and execute arbitrary commands on the connected remote host. The flaw maps to CWE-78: Improper Neutralization of Special Elements used in an OS Command.

Critical Impact

Authenticated attackers with an active File Manager SSH session can achieve arbitrary command execution on remote hosts managed through Termix, leading to full compromise of the connected systems.

Affected Products

  • Termix versions prior to 2.3.2
  • Termix SSH File Manager component
  • Deployments exposing the GET /ssh/file_manager/ssh/resolvePath endpoint

Discovery Timeline

  • 2026-06-05 - CVE-2026-45744 published to NVD
  • 2026-06-08 - Last updated in NVD database

Technical Details for CVE-2026-45744

Vulnerability Analysis

The vulnerability resides in the GET /ssh/file_manager/ssh/resolvePath endpoint exposed by Termix's File Manager subsystem. The endpoint accepts user-controlled path input and incorporates it into a shell command sent over the active SSH session. Termix wraps the input in double quotes as its only escaping mechanism. Double-quote escaping in POSIX shells does not suppress command substitution syntax, so payloads containing $(...) or backticks are interpreted by the remote shell as nested commands.

Because the injected command runs through an authenticated SSH File Manager session, attacker-supplied commands execute on the remote host with the privileges of the SSH user. Termix's session model only requires that the attacker hold a valid Termix account and an active File Manager connection, which makes exploitation reliable in multi-tenant deployments. The scope change reflected in the issue indicates impact extending beyond Termix itself onto every remote system reachable through a File Manager session.

Root Cause

The root cause is improper neutralization of special elements in an OS command [CWE-78]. The resolvePath handler relies on double-quote string wrapping rather than safe argument passing or strict allowlist validation. Double quotes preserve literal whitespace but still permit shell expansions, including $(command) and `command`, allowing arbitrary command substitution.

Attack Vector

An authenticated Termix user initiates a File Manager SSH session to a target host. The attacker then issues a crafted GET /ssh/file_manager/ssh/resolvePath request containing a path parameter with command substitution syntax. The server forwards the unsanitized payload into the SSH channel, where the remote shell evaluates the substitution and executes the attacker's command. No user interaction on the victim side is required, and the network attack vector enables remote exploitation against any reachable Termix instance.

No verified public proof-of-concept code is available. Refer to the GitHub Security Advisory GHSA-37f4-wq95-pg33 for vendor-provided technical details.

Detection Methods for CVE-2026-45744

Indicators of Compromise

  • HTTP requests to /ssh/file_manager/ssh/resolvePath containing $(, `, ;, |, or && characters in query parameters.
  • Unexpected child processes spawned from the SSH session shell on hosts managed through Termix File Manager.
  • Outbound network connections originating from managed hosts shortly after resolvePath requests, indicating possible reverse shell or data staging activity.
  • Anomalous file creation or modification in directories outside the path the user was browsing.

Detection Strategies

  • Inspect Termix application and reverse proxy logs for resolvePath requests containing shell metacharacters or URL-encoded variants such as %24%28 and %60.
  • Correlate Termix authenticated session activity with shell command execution telemetry on remote hosts to identify substitution-based payloads.
  • Apply behavioral identification on managed Linux hosts for unusual process lineage where SSH session shells spawn interpreters such as bash, sh, python, or curl.

Monitoring Recommendations

  • Forward Termix HTTP access logs and SSH session audit logs to a centralized analytics platform for retrospective hunting.
  • Alert on any resolvePath request where decoded query parameters contain shell substitution tokens.
  • Monitor managed host audit logs (auditd, execve events) for command executions whose parent process is an SSH-spawned shell associated with Termix sessions.

How to Mitigate CVE-2026-45744

Immediate Actions Required

  • Upgrade all Termix instances to version 2.3.2 or later, which patches the resolvePath command injection.
  • Restrict network access to the Termix web interface to trusted administrative networks until patching completes.
  • Rotate credentials and SSH keys for any remote hosts that were reachable through Termix File Manager sessions during the exposure window.
  • Audit Termix user accounts and revoke unused or low-trust accounts that could be leveraged to satisfy the authentication requirement.

Patch Information

The Termix maintainers released version 2.3.2 to fix this issue. See the GitHub Release v2.3.2 for the patched build and the GitHub Security Advisory GHSA-37f4-wq95-pg33 for vendor remediation guidance.

Workarounds

  • If immediate upgrade is not possible, disable the File Manager feature or block the /ssh/file_manager/ssh/resolvePath route at a reverse proxy.
  • Enforce strict allowlists in upstream proxies that reject query parameters containing $, `, ;, |, &, or their URL-encoded forms.
  • Limit Termix-connected SSH accounts on remote hosts to least-privilege users with restricted shells where feasible.
bash
# Example reverse proxy rule (nginx) to block command substitution payloads
# until Termix can be upgraded to 2.3.2
location /ssh/file_manager/ssh/resolvePath {
    if ($args ~* "(\$\(|%24%28|`|%60|;|%3B|\||%7C)") {
        return 403;
    }
    proxy_pass http://termix_backend;
}

Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.

Default Legacy - Prefooter | Experience the World’s Most Advanced Cybersecurity Platform

Experience the Most Advanced Cybersecurity Platform

See how the world’s most intelligent, autonomous cybersecurity platform can protect your organization today and into the future.

Try SentinelOne