Electerm (<= 3.7.8) — CraftedSignal Threat Feedhttps://feed.craftedsignal.io/products/electerm--3.7.8/Trending threats, MITRE ATT&CK coverage, and detection metadata. Fed continuously.Hugoenhello@craftedsignal.iohello@craftedsignal.ioFri, 08 May 2026 18:43:52 +0000Electerm Remote Code Execution Vulnerability via Malicious Filenameshttps://feed.craftedsignal.io/briefs/2024-01-electerm-rce/Fri, 08 May 2026 18:43:52 +0000hello@craftedsignal.iohttps://feed.craftedsignal.io/briefs/2024-01-electerm-rce/A remote code execution vulnerability exists in Electerm versions 3.7.8 and earlier, where a malicious SSH server can inject arbitrary commands into a victim's system by crafting filenames with shell metacharacters that are executed when the user attempts to open or edit the file using the 'open with system editor' or 'edit with custom editor' feature.Electerm, a terminal/ssh/sftp client, is vulnerable to a remote code execution (RCE) attack (CVE-2026-43943) when using the “open with system editor” or “Edit with custom editor” feature. This vulnerability affects versions 3.7.8 and earlier. A malicious actor who controls the SSH server or has the ability to manipulate filenames can inject shell metacharacters into a filename. When a user attempts to open the file with the vulnerable feature, Electerm passes the filename directly to the command line without sanitization, leading to command execution with the user’s privileges. This allows the attacker to potentially run arbitrary code, install malware, or move laterally within the network. The vulnerability was patched in version 3.7.9.

Attack Chain

  1. Attacker compromises or sets up a malicious SSH server.
  2. Attacker creates a file with a specially crafted filename containing shell metacharacters (e.g., evil; rm -rf /tmp; touch /tmp/pwned).
  3. Victim connects to the malicious SSH server using Electerm.
  4. Victim browses the SFTP file system and sees the attacker-controlled filename.
  5. Victim selects the malicious file and chooses the “open with system editor” or “Edit with custom editor” option.
  6. Electerm executes a command to open the file, passing the malicious filename unsanitized to the system shell (e.g., xdg-open "evil; rm -rf /tmp; touch /tmp/pwned").
  7. The shell executes the injected commands, deleting files in /tmp and creating a file named /tmp/pwned in this example.
  8. Attacker achieves arbitrary code execution on the victim’s machine with the user’s privileges.

Impact

Successful exploitation of this vulnerability allows a malicious actor to execute arbitrary code on the victim’s machine. This could lead to a variety of malicious outcomes, including malware installation, data theft, or lateral movement within the victim’s network. The number of potential victims is limited to Electerm users who connect to untrusted SSH servers and use the vulnerable “open with system editor” or “Edit with custom editor” features. This vulnerability could have significant impact for developers and system administrators who rely on Electerm for remote server management.

Recommendation

  • Upgrade Electerm to version 3.7.9 or later to patch CVE-2026-43943.
  • Deploy the Sigma rule Detect Electerm RCE via Filename to detect exploitation attempts.
  • Until a patch can be applied, refrain from using the “open with system editor” or “Edit with custom editor” feature when connected to untrusted SSH servers, as recommended in the advisory.
  • If the “open with system editor” feature must be used, ensure connections are exclusively established with trusted servers and perform rigorous filename validation before editing.
]]>highadvisoryrceelectermsftpremote code execution