Critical RCE Vulnerability in Hermes WebUI (CVE-2026-58123)
An unauthenticated remote code execution vulnerability, CVE-2026-58123, exists in Hermes WebUI versions prior to 0.51.788, allowing remote attackers to execute arbitrary shell commands by accessing exposed terminal API endpoints without credentials, leading to full command execution as the server process user.
CVE-2026-58123 is a critical unauthenticated remote code execution (RCE) vulnerability affecting Hermes WebUI versions before 0.51.788. Published on July 9, 2026, this flaw allows any remote attacker to execute arbitrary shell commands on the underlying server. Attackers can leverage this by directly accessing embedded terminal API endpoints that are exposed without proper authentication. The exploitation involves a sequence of four unauthenticated HTTP requests: establishing a session, attaching a pseudo-terminal (PTY) shell, and subsequently writing arbitrary commands to the terminal input endpoint. This grants the attacker full command execution privileges under the context of the server process user, posing a severe risk of system compromise, data exfiltration, or further network penetration.
Attack Chain
- Initial Access: An unauthenticated remote attacker sends an HTTP request to an exposed Hermes WebUI terminal API endpoint.
- Session Creation: The attacker sends a second HTTP request to establish a session with the embedded terminal without requiring any authentication.
- PTY Shell Attachment: A third unauthenticated HTTP request is sent by the attacker to attach a PTY shell to the newly created session.
- Command Injection: The attacker sends a fourth unauthenticated HTTP request to the terminal input endpoint, embedding arbitrary shell commands within the request.
- Command Execution: The Hermes WebUI server processes the request and executes the injected shell commands as the user account running the WebUI process.
- Impact: The attacker achieves full remote code execution, potentially leading to system compromise, data exfiltration, or further lateral movement within the compromised network.
Impact
Successful exploitation of CVE-2026-58123 results in unauthenticated remote code execution on the server hosting Hermes WebUI. This allows attackers to gain full control over the affected system under the privileges of the server process user. The consequences can include complete system compromise, unauthorized access to sensitive data, installation of malware (e.g., ransomware, cryptominers), establishment of persistent backdoors, and the use of the compromised system as a pivot point for further attacks within the organization's network.
Recommendation
- Immediately update Hermes WebUI to version 0.51.788 or later to patch CVE-2026-58123.
- Deploy the Sigma rule provided in this brief to your SIEM to detect attempts to exploit the Hermes WebUI terminal API.
- Ensure proper network segmentation and firewall rules are in place to restrict access to Hermes WebUI instances from untrusted networks.
Detection coverage 1
Detects CVE-2026-58123 Exploitation - Hermes WebUI Unauthenticated RCE
highDetects CVE-2026-58123 exploitation attempts targeting Hermes WebUI by identifying suspicious HTTP requests to terminal API endpoints containing common shell command injection characters.
Detection queries are available on the platform. Get full rules →