{"description":"Trending threats, MITRE ATT\u0026CK coverage, and detection metadata. Fed continuously.","feed_url":"https://feed.craftedsignal.io/products/electerm--3.7.8/","home_page_url":"https://feed.craftedsignal.io/","items":[{"_cs_actors":[],"_cs_cpes":[],"_cs_cves":[{"cvss":7.8,"id":"CVE-2026-43943"}],"_cs_exploited":false,"_cs_has_poc":false,"_cs_poc_references":[],"_cs_products":["electerm (\u003c= 3.7.8)"],"_cs_severities":["high"],"_cs_tags":["rce","electerm","sftp","remote code execution"],"_cs_type":"advisory","_cs_vendors":["electerm"],"content_html":"\u003cp\u003eElecterm, a terminal/ssh/sftp client, is vulnerable to a remote code execution (RCE) attack (CVE-2026-43943) when using the \u0026ldquo;open with system editor\u0026rdquo; or \u0026ldquo;Edit with custom editor\u0026rdquo; feature. This vulnerability affects versions 3.7.8 and earlier. A malicious actor who controls the SSH server or has the ability to manipulate filenames can inject shell metacharacters into a filename. When a user attempts to open the file with the vulnerable feature, Electerm passes the filename directly to the command line without sanitization, leading to command execution with the user\u0026rsquo;s privileges. This allows the attacker to potentially run arbitrary code, install malware, or move laterally within the network. The vulnerability was patched in version 3.7.9.\u003c/p\u003e\n\u003ch2 id=\"attack-chain\"\u003eAttack Chain\u003c/h2\u003e\n\u003col\u003e\n\u003cli\u003eAttacker compromises or sets up a malicious SSH server.\u003c/li\u003e\n\u003cli\u003eAttacker creates a file with a specially crafted filename containing shell metacharacters (e.g., \u003ccode\u003eevil; rm -rf /tmp; touch /tmp/pwned\u003c/code\u003e).\u003c/li\u003e\n\u003cli\u003eVictim connects to the malicious SSH server using Electerm.\u003c/li\u003e\n\u003cli\u003eVictim browses the SFTP file system and sees the attacker-controlled filename.\u003c/li\u003e\n\u003cli\u003eVictim selects the malicious file and chooses the \u0026ldquo;open with system editor\u0026rdquo; or \u0026ldquo;Edit with custom editor\u0026rdquo; option.\u003c/li\u003e\n\u003cli\u003eElecterm executes a command to open the file, passing the malicious filename unsanitized to the system shell (e.g., \u003ccode\u003exdg-open \u0026quot;evil; rm -rf /tmp; touch /tmp/pwned\u0026quot;\u003c/code\u003e).\u003c/li\u003e\n\u003cli\u003eThe shell executes the injected commands, deleting files in \u003ccode\u003e/tmp\u003c/code\u003e and creating a file named \u003ccode\u003e/tmp/pwned\u003c/code\u003e in this example.\u003c/li\u003e\n\u003cli\u003eAttacker achieves arbitrary code execution on the victim\u0026rsquo;s machine with the user\u0026rsquo;s privileges.\u003c/li\u003e\n\u003c/ol\u003e\n\u003ch2 id=\"impact\"\u003eImpact\u003c/h2\u003e\n\u003cp\u003eSuccessful exploitation of this vulnerability allows a malicious actor to execute arbitrary code on the victim\u0026rsquo;s machine. This could lead to a variety of malicious outcomes, including malware installation, data theft, or lateral movement within the victim\u0026rsquo;s network. The number of potential victims is limited to Electerm users who connect to untrusted SSH servers and use the vulnerable \u0026ldquo;open with system editor\u0026rdquo; or \u0026ldquo;Edit with custom editor\u0026rdquo; features. This vulnerability could have significant impact for developers and system administrators who rely on Electerm for remote server management.\u003c/p\u003e\n\u003ch2 id=\"recommendation\"\u003eRecommendation\u003c/h2\u003e\n\u003cul\u003e\n\u003cli\u003eUpgrade Electerm to version 3.7.9 or later to patch CVE-2026-43943.\u003c/li\u003e\n\u003cli\u003eDeploy the Sigma rule \u003ccode\u003eDetect Electerm RCE via Filename\u003c/code\u003e to detect exploitation attempts.\u003c/li\u003e\n\u003cli\u003eUntil a patch can be applied, refrain from using the \u0026ldquo;open with system editor\u0026rdquo; or \u0026ldquo;Edit with custom editor\u0026rdquo; feature when connected to untrusted SSH servers, as recommended in the advisory.\u003c/li\u003e\n\u003cli\u003eIf the \u0026ldquo;open with system editor\u0026rdquo; feature must be used, ensure connections are exclusively established with trusted servers and perform rigorous filename validation before editing.\u003c/li\u003e\n\u003c/ul\u003e\n","date_modified":"2026-05-08T18:43:52Z","date_published":"2026-05-08T18:43:52Z","id":"/briefs/2024-01-electerm-rce/","summary":"A remote code execution vulnerability exists in Electerm versions 3.7.8 and earlier, where a malicious SSH server can inject arbitrary commands into a victim's system by crafting filenames with shell metacharacters that are executed when the user attempts to open or edit the file using the 'open with system editor' or 'edit with custom editor' feature.","title":"Electerm Remote Code Execution Vulnerability via Malicious Filenames","url":"https://feed.craftedsignal.io/briefs/2024-01-electerm-rce/"}],"language":"en","title":"CraftedSignal Threat Feed — Electerm (\u003c= 3.7.8)","version":"https://jsonfeed.org/version/1.1"}