{"description":"Trending threats, MITRE ATT\u0026CK coverage, and detection metadata. Fed continuously.","feed_url":"https://feed.craftedsignal.io/tags/hermes/feed.json","home_page_url":"https://feed.craftedsignal.io/","items":[{"_cs_actors":[],"_cs_cpes":[],"_cs_cves":[{"cvss":9.8,"id":"CVE-2026-58123"}],"_cs_exploited":false,"_cs_has_poc":false,"_cs_poc_references":[],"_cs_products":["Hermes WebUI \u003c 0.51.788"],"_cs_severities":["critical"],"_cs_tags":["cve","rce","web-exploitation","hermes","api-exploitation"],"_cs_type":"advisory","_cs_vendors":[],"content_html":"\u003cp\u003eCVE-2026-58123 is a critical unauthenticated remote code execution (RCE) vulnerability affecting Hermes WebUI versions before 0.51.788. Published on July 9, 2026, this flaw allows any remote attacker to execute arbitrary shell commands on the underlying server. Attackers can leverage this by directly accessing embedded terminal API endpoints that are exposed without proper authentication. The exploitation involves a sequence of four unauthenticated HTTP requests: establishing a session, attaching a pseudo-terminal (PTY) shell, and subsequently writing arbitrary commands to the terminal input endpoint. This grants the attacker full command execution privileges under the context of the server process user, posing a severe risk of system compromise, data exfiltration, or further network penetration.\u003c/p\u003e\n\u003ch2 id=\"attack-chain\"\u003eAttack Chain\u003c/h2\u003e\n\u003col\u003e\n\u003cli\u003e\u003cstrong\u003eInitial Access\u003c/strong\u003e: An unauthenticated remote attacker sends an HTTP request to an exposed Hermes WebUI terminal API endpoint.\u003c/li\u003e\n\u003cli\u003e\u003cstrong\u003eSession Creation\u003c/strong\u003e: The attacker sends a second HTTP request to establish a session with the embedded terminal without requiring any authentication.\u003c/li\u003e\n\u003cli\u003e\u003cstrong\u003ePTY Shell Attachment\u003c/strong\u003e: A third unauthenticated HTTP request is sent by the attacker to attach a PTY shell to the newly created session.\u003c/li\u003e\n\u003cli\u003e\u003cstrong\u003eCommand Injection\u003c/strong\u003e: The attacker sends a fourth unauthenticated HTTP request to the terminal input endpoint, embedding arbitrary shell commands within the request.\u003c/li\u003e\n\u003cli\u003e\u003cstrong\u003eCommand Execution\u003c/strong\u003e: The Hermes WebUI server processes the request and executes the injected shell commands as the user account running the WebUI process.\u003c/li\u003e\n\u003cli\u003e\u003cstrong\u003eImpact\u003c/strong\u003e: The attacker achieves full remote code execution, potentially leading to system compromise, data exfiltration, or further lateral movement within the compromised network.\u003c/li\u003e\n\u003c/ol\u003e\n\u003ch2 id=\"impact\"\u003eImpact\u003c/h2\u003e\n\u003cp\u003eSuccessful exploitation of CVE-2026-58123 results in unauthenticated remote code execution on the server hosting Hermes WebUI. This allows attackers to gain full control over the affected system under the privileges of the server process user. The consequences can include complete system compromise, unauthorized access to sensitive data, installation of malware (e.g., ransomware, cryptominers), establishment of persistent backdoors, and the use of the compromised system as a pivot point for further attacks within the organization's network.\u003c/p\u003e\n\u003ch2 id=\"recommendation\"\u003eRecommendation\u003c/h2\u003e\n\u003cul\u003e\n\u003cli\u003eImmediately update Hermes WebUI to version 0.51.788 or later to patch CVE-2026-58123.\u003c/li\u003e\n\u003cli\u003eDeploy the Sigma rule provided in this brief to your SIEM to detect attempts to exploit the Hermes WebUI terminal API.\u003c/li\u003e\n\u003cli\u003eEnsure proper network segmentation and firewall rules are in place to restrict access to Hermes WebUI instances from untrusted networks.\u003c/li\u003e\n\u003c/ul\u003e\n","date_modified":"2026-07-09T22:19:47Z","date_published":"2026-07-09T22:19:47Z","id":"https://feed.craftedsignal.io/briefs/2026-07-hermes-webui-rce/","summary":"An unauthenticated remote code execution vulnerability, CVE-2026-58123, exists in Hermes WebUI versions prior to 0.51.788, allowing remote attackers to execute arbitrary shell commands by accessing exposed terminal API endpoints without credentials, leading to full command execution as the server process user.","title":"Critical RCE Vulnerability in Hermes WebUI (CVE-2026-58123)","url":"https://feed.craftedsignal.io/briefs/2026-07-hermes-webui-rce/"}],"language":"en","title":"CraftedSignal Threat Feed - Hermes","version":"https://jsonfeed.org/version/1.1"}