Electerm Vulnerable to Remote Code Execution via Malicious Bookmarks (CVE-2026-45058)

Electerm, a popular terminal application, is susceptible to a critical remote code execution vulnerability (CVE-2026-45058). This flaw affects users who import bookmark JSON files or utilize Electerm’s synchronization feature via Gist or WebDAV. An attacker can exploit this vulnerability by injecting malicious exec* fields or manipulating the global configuration within a crafted bookmark file or a compromised sync target. The injected code is executed when a user opens a compromised bookmark or when Electerm applies the settings from a tampered sync target. This vulnerability impacts Electerm versions 3.8.8 and earlier, potentially allowing attackers to gain persistent code execution on the victim’s system. Defenders should prioritize detecting and preventing the import of untrusted bookmark data to mitigate this risk.

Attack Chain

1. Attacker crafts a malicious bookmark JSON file containing injected exec* fields or altered global configuration settings.
2. The attacker distributes the malicious bookmark file to a target user, potentially through social engineering or by compromising a WebDAV sync target.
3. The user imports the malicious bookmark JSON file into Electerm through the application’s import functionality.
4. Electerm parses the JSON file, loading the attacker-controlled exec* fields or global configuration into its settings.
5. The user opens a bookmark that contains the malicious exec* payload. Alternatively, electerm syncs with a compromised WebDAV server.
6. Electerm executes the injected code or applies the malicious configuration using a local-pty context.
7. The attacker gains code execution on the user’s system with the privileges of the Electerm process.
8. The attacker can then perform further actions such as installing malware, exfiltrating data, or establishing persistence.

Impact

Successful exploitation of CVE-2026-45058 leads to arbitrary code execution on the victim’s machine. This can result in complete system compromise, data theft, or the deployment of ransomware. The impact is particularly severe for users who rely on Electerm’s synchronization feature, as a compromised sync target can propagate the malicious configuration across multiple systems. While the exact number of potential victims is unknown, the vulnerability affects all Electerm users running versions 3.8.8 and earlier.

Recommendation

• Deploy the Sigma rule Detect Suspicious Electerm Bookmark Import to detect attempts to import malicious bookmark files (log source: process_creation).
• Deploy the Sigma rule Detect Suspicious Electerm Sync to detect connections to unusual WebDAV servers or Gists (log source: network_connection).
• Monitor Electerm’s configuration files for unexpected changes, specifically modifications to the exec* fields (log source: file_event).
• Educate users on the risks of importing untrusted bookmark data and advise against importing bookmarks from unknown or untrusted sources.
• Consider temporarily disabling Electerm’s synchronization feature until a patch is available to prevent compromised sync targets from being exploited.
• Investigate any alerts generated by the Sigma rules and take appropriate remediation steps to contain any potential compromises.