{"description":"Trending threats, MITRE ATT\u0026CK coverage, and detection metadata. Fed continuously.","feed_url":"https://feed.craftedsignal.io/products/electerm--3.11.0/feed.json","home_page_url":"https://feed.craftedsignal.io/","items":[{"_cs_actors":[],"_cs_cpes":[],"_cs_cves":[],"_cs_exploited":false,"_cs_has_poc":false,"_cs_poc_references":[],"_cs_products":["electerm \u003c= 3.11.0"],"_cs_severities":["high"],"_cs_tags":["command-injection","rce","client-side","application-vulnerability","electerm"],"_cs_type":"advisory","_cs_vendors":["electerm"],"content_html":"\u003cp\u003eA critical command injection vulnerability (CVE-2026-49255) has been identified in electerm, a popular terminal emulator and SSH/SFTP client, affecting versions up to and including 3.11.0. The flaw resides within the application's file system operations, specifically \u003ccode\u003ermrf()\u003c/code\u003e, \u003ccode\u003emv()\u003c/code\u003e, and \u003ccode\u003ecp()\u003c/code\u003e, which are implemented in \u003ccode\u003esrc/app/lib/fs.js\u003c/code\u003e. These functions construct shell commands by directly embedding user-controlled file paths without proper escaping of shell metacharacters. Attackers can exploit this by setting up a malicious SSH/SFTP server that presents files with specially crafted names containing metacharacters like \u003ccode\u003e\u0026quot;\u003c/code\u003e or \u003ccode\u003e'\u003c/code\u003e. When a victim connects to such a server and performs file operations (such as remote-to-local transfers or renaming), the embedded shell metacharacters escape the intended argument, leading to arbitrary command execution on the victim's system under the context of the electerm user. This allows for potential data exfiltration, malware installation, or full system compromise on both Windows and POSIX (Linux/macOS) platforms.\u003c/p\u003e\n\u003ch2 id=\"attack-chain\"\u003eAttack Chain\u003c/h2\u003e\n\u003col\u003e\n\u003cli\u003eAn attacker sets up a malicious SSH/SFTP server or compromises an existing one, making it accessible to potential victims.\u003c/li\u003e\n\u003cli\u003eThe attacker crafts filenames containing shell metacharacters (e.g., \u003ccode\u003efile\u0026quot;$(touch /tmp/pwned)\u0026quot;\u003c/code\u003e, \u003ccode\u003emalicious';id;'file\u003c/code\u003e) designed to break out of quoted arguments in shell commands.\u003c/li\u003e\n\u003cli\u003eA victim, using a vulnerable version of electerm, connects to the malicious SSH/SFTP server.\u003c/li\u003e\n\u003cli\u003eThe victim initiates a file operation (e.g., remote-to-local transfer, move, copy, or a rename due to conflict) involving the attacker-controlled malicious filename.\u003c/li\u003e\n\u003cli\u003eelecterm's vulnerable file system functions (\u003ccode\u003ermrf()\u003c/code\u003e, \u003ccode\u003emv()\u003c/code\u003e, or \u003ccode\u003ecp()\u003c/code\u003e) are invoked, attempting to process the malicious filename.\u003c/li\u003e\n\u003cli\u003eThe functions construct an underlying shell command by interpolating the malicious filename directly into a command string, failing to properly escape the shell metacharacters.\u003c/li\u003e\n\u003cli\u003eThe shell metacharacters (e.g., \u003ccode\u003e\u0026quot;\u003c/code\u003e or \u003ccode\u003e'\u003c/code\u003e) in the filename escape the intended argument, causing the embedded arbitrary commands to be executed by the underlying shell.\u003c/li\u003e\n\u003cli\u003eThe injected arbitrary commands run with the privileges of the electerm desktop user, leading to arbitrary code execution, system compromise, or data exfiltration.\u003c/li\u003e\n\u003c/ol\u003e\n\u003ch2 id=\"impact\"\u003eImpact\u003c/h2\u003e\n\u003cp\u003eSuccessful exploitation of CVE-2026-49255 results in arbitrary command execution on the victim's system. This allows attackers to perform actions with the same privileges as the electerm desktop user, which typically includes access to user files and configuration. The consequences can include data exfiltration, installation of additional malware, further system compromise, or even the establishment of persistence. Both POSIX-based operating systems (Linux, macOS) and Windows are affected, widening the potential target base. The severity is high due to the ease of exploitation via crafted filenames and the direct impact of arbitrary code execution.\u003c/p\u003e\n\u003ch2 id=\"recommendation\"\u003eRecommendation\u003c/h2\u003e\n\u003cp\u003ePrioritized, concrete actions for detection engineering teams.\u003c/p\u003e\n\u003cul\u003e\n\u003cli\u003eImmediately upgrade electerm to a patched version (newer than 3.11.0) to remediate CVE-2026-49255.\u003c/li\u003e\n\u003cli\u003eDeploy the Sigma rule provided in this brief to detect anomalous process creation that may indicate exploitation attempts.\u003c/li\u003e\n\u003cli\u003eEducate users about the risks of connecting to untrusted SSH/SFTP servers and performing file operations with suspicious filenames, as highlighted in the \u0026quot;Attack Chain\u0026quot; section.\u003c/li\u003e\n\u003cli\u003eImplement strong egress filtering to block unexpected outbound connections from user workstations that could indicate command and control activity post-exploitation.\u003c/li\u003e\n\u003c/ul\u003e\n","date_modified":"2026-07-03T11:37:40Z","date_published":"2026-07-03T11:37:40Z","id":"https://feed.craftedsignal.io/briefs/2026-07-electerm-command-injection/","summary":"A command injection vulnerability, CVE-2026-49255, exists in electerm's file system operations (`rmrf`, `mv`, `cp`) due to improper sanitization of file paths containing shell metacharacters. An attacker can leverage this by presenting a malicious SSH/SFTP server with crafted filenames. When a victim performs file operations on these files, arbitrary commands can be executed on the victim's system as the electerm desktop user, potentially leading to data exfiltration, malware installation, or system compromise on both Windows and POSIX-based operating systems.","title":"electerm has Command Injection in File System Operations (rmrf, mv, cp)","url":"https://feed.craftedsignal.io/briefs/2026-07-electerm-command-injection/"}],"language":"en","title":"CraftedSignal Threat Feed - Electerm \u003c= 3.11.0","version":"https://jsonfeed.org/version/1.1"}