{"description":"Trending threats, MITRE ATT\u0026CK coverage, and detection metadata. Fed continuously.","feed_url":"https://feed.craftedsignal.io/products/electerm--3.8.8/feed.json","home_page_url":"https://feed.craftedsignal.io/","items":[{"_cs_actors":[],"_cs_cpes":[],"_cs_cves":[],"_cs_exploited":false,"_cs_has_poc":false,"_cs_poc_references":[],"_cs_products":["electerm (\u003c= 3.8.8)"],"_cs_severities":["critical"],"_cs_tags":["rce","electerm","code-execution","cve-2026-45058"],"_cs_type":"advisory","_cs_vendors":[],"content_html":"\u003cp\u003eElecterm, a popular terminal application, is susceptible to a critical remote code execution vulnerability (CVE-2026-45058). This flaw affects users who import bookmark JSON files or utilize Electerm\u0026rsquo;s synchronization feature via Gist or WebDAV. An attacker can exploit this vulnerability by injecting malicious \u003ccode\u003eexec*\u003c/code\u003e fields or manipulating the global configuration within a crafted bookmark file or a compromised sync target. The injected code is executed when a user opens a compromised bookmark or when Electerm applies the settings from a tampered sync target. This vulnerability impacts Electerm versions 3.8.8 and earlier, potentially allowing attackers to gain persistent code execution on the victim\u0026rsquo;s system. Defenders should prioritize detecting and preventing the import of untrusted bookmark data to mitigate this risk.\u003c/p\u003e\n\u003ch2 id=\"attack-chain\"\u003eAttack Chain\u003c/h2\u003e\n\u003col\u003e\n\u003cli\u003eAttacker crafts a malicious bookmark JSON file containing injected \u003ccode\u003eexec*\u003c/code\u003e fields or altered global configuration settings.\u003c/li\u003e\n\u003cli\u003eThe attacker distributes the malicious bookmark file to a target user, potentially through social engineering or by compromising a WebDAV sync target.\u003c/li\u003e\n\u003cli\u003eThe user imports the malicious bookmark JSON file into Electerm through the application\u0026rsquo;s import functionality.\u003c/li\u003e\n\u003cli\u003eElecterm parses the JSON file, loading the attacker-controlled \u003ccode\u003eexec*\u003c/code\u003e fields or global configuration into its settings.\u003c/li\u003e\n\u003cli\u003eThe user opens a bookmark that contains the malicious \u003ccode\u003eexec*\u003c/code\u003e payload. Alternatively, electerm syncs with a compromised WebDAV server.\u003c/li\u003e\n\u003cli\u003eElecterm executes the injected code or applies the malicious configuration using a local-pty context.\u003c/li\u003e\n\u003cli\u003eThe attacker gains code execution on the user\u0026rsquo;s system with the privileges of the Electerm process.\u003c/li\u003e\n\u003cli\u003eThe attacker can then perform further actions such as installing malware, exfiltrating data, or establishing persistence.\u003c/li\u003e\n\u003c/ol\u003e\n\u003ch2 id=\"impact\"\u003eImpact\u003c/h2\u003e\n\u003cp\u003eSuccessful exploitation of CVE-2026-45058 leads to arbitrary code execution on the victim\u0026rsquo;s machine. This can result in complete system compromise, data theft, or the deployment of ransomware. The impact is particularly severe for users who rely on Electerm\u0026rsquo;s synchronization feature, as a compromised sync target can propagate the malicious configuration across multiple systems. While the exact number of potential victims is unknown, the vulnerability affects all Electerm users running versions 3.8.8 and earlier.\u003c/p\u003e\n\u003ch2 id=\"recommendation\"\u003eRecommendation\u003c/h2\u003e\n\u003cul\u003e\n\u003cli\u003eDeploy the Sigma rule \u003ccode\u003eDetect Suspicious Electerm Bookmark Import\u003c/code\u003e to detect attempts to import malicious bookmark files (log source: \u003ccode\u003eprocess_creation\u003c/code\u003e).\u003c/li\u003e\n\u003cli\u003eDeploy the Sigma rule \u003ccode\u003eDetect Suspicious Electerm Sync\u003c/code\u003e to detect connections to unusual WebDAV servers or Gists (log source: \u003ccode\u003enetwork_connection\u003c/code\u003e).\u003c/li\u003e\n\u003cli\u003eMonitor Electerm\u0026rsquo;s configuration files for unexpected changes, specifically modifications to the \u003ccode\u003eexec*\u003c/code\u003e fields (log source: \u003ccode\u003efile_event\u003c/code\u003e).\u003c/li\u003e\n\u003cli\u003eEducate users on the risks of importing untrusted bookmark data and advise against importing bookmarks from unknown or untrusted sources.\u003c/li\u003e\n\u003cli\u003eConsider temporarily disabling Electerm\u0026rsquo;s synchronization feature until a patch is available to prevent compromised sync targets from being exploited.\u003c/li\u003e\n\u003cli\u003eInvestigate any alerts generated by the Sigma rules and take appropriate remediation steps to contain any potential compromises.\u003c/li\u003e\n\u003c/ul\u003e\n","date_modified":"2026-05-14T20:17:11Z","date_published":"2026-05-14T20:17:11Z","id":"https://feed.craftedsignal.io/briefs/2026-05-electerm-rce/","summary":"Electerm is vulnerable to remote code execution (CVE-2026-45058) via maliciously crafted bookmark files or compromised sync targets, allowing attackers to inject arbitrary commands when a bookmark is opened or when a sync operation is performed.","title":"Electerm Vulnerable to Remote Code Execution via Malicious Bookmarks (CVE-2026-45058)","url":"https://feed.craftedsignal.io/briefs/2026-05-electerm-rce/"}],"language":"en","title":"CraftedSignal Threat Feed — Electerm (\u003c= 3.8.8)","version":"https://jsonfeed.org/version/1.1"}