Electerm (>= 3.0.6, < 3.8.15) — CraftedSignal Threat Feedhttps://feed.craftedsignal.io/products/electerm--3.0.6--3.8.15/Trending threats, MITRE ATT&CK coverage, and detection metadata. Fed continuously.Hugoenhello@craftedsignal.iohello@craftedsignal.ioFri, 08 May 2026 18:46:04 +0000Electerm Arbitrary Code Execution via Crafted URI or CLI Argumentshttps://feed.craftedsignal.io/briefs/2024-05-electerm-code-exec/Fri, 08 May 2026 18:46:04 +0000hello@craftedsignal.iohttps://feed.craftedsignal.io/briefs/2024-05-electerm-code-exec/Electerm versions 3.0.6 through 3.8.14 are vulnerable to arbitrary local code execution via crafted electerm:// URIs or command-line arguments, requiring a user to click a malicious link or open a malicious shortcut file.Electerm, a free and open-source terminal/ssh/sftp client, is vulnerable to arbitrary code execution. Versions 3.0.6 through 3.8.14 are susceptible to this vulnerability. An attacker can exploit this by crafting a malicious electerm:// URI or by crafting a shortcut/command that launches electerm with attacker-controlled --opts arguments. Successful exploitation requires a user to click the malicious link or open the malicious shortcut file. This vulnerability allows attackers to execute arbitrary code on the victim’s machine, potentially leading to system compromise, data theft, or other malicious activities. The vulnerability was reported by Curly-Haired-Baboon.

Attack Chain

  1. The attacker crafts a malicious electerm:// URI or a shortcut/command containing malicious --opts arguments.
  2. The attacker distributes the malicious URI or shortcut/command to the victim via social engineering or other means.
  3. The victim clicks on the malicious electerm:// URI or opens the malicious shortcut/command.
  4. Electerm is launched with the attacker-controlled parameters.
  5. Due to insufficient validation of the input, the attacker’s payload is processed by Electerm.
  6. The attacker’s payload executes arbitrary code on the victim’s machine.
  7. The attacker gains control of the compromised system, enabling them to perform malicious activities.

Impact

Successful exploitation of this vulnerability can lead to arbitrary code execution on the victim’s machine. This can result in a wide range of malicious activities, including but not limited to, system compromise, data theft, installation of malware, and denial of service. Given the nature of Electerm as a terminal client, attackers could potentially gain access to sensitive credentials and systems managed through the application.

Recommendation

  • Upgrade Electerm to version 3.8.15 or later to patch CVE-2026-43944.
  • Disable or unregister electerm protocol handlers (Deep Link settings) as a workaround.
  • Avoid clicking electerm:// links from untrusted sources.
  • Refrain from running electerm with untrusted --opts arguments or opening .lnk / .desktop files from untrusted sources.
  • Deploy the Sigma rule “Detect Electerm URI Protocol Handler Abuse” to identify attempts to exploit this vulnerability by monitoring process execution that involves the electerm protocol.
]]>criticaladvisorycode-executionprotocol-handlerelecterm