{"description":"Trending threats, MITRE ATT\u0026CK coverage, and detection metadata. Fed continuously.","feed_url":"https://feed.craftedsignal.io/vendors/electerm/","home_page_url":"https://feed.craftedsignal.io/","items":[{"_cs_actors":[],"_cs_cpes":[],"_cs_cves":[{"id":"CVE-2026-43944"}],"_cs_exploited":false,"_cs_has_poc":false,"_cs_poc_references":[],"_cs_products":["Electerm (\u003e= 3.0.6, \u003c 3.8.15)"],"_cs_severities":["critical"],"_cs_tags":["code-execution","protocol-handler","electerm"],"_cs_type":"advisory","_cs_vendors":["Electerm"],"content_html":"\u003cp\u003eElecterm, a free and open-source terminal/ssh/sftp client, is vulnerable to arbitrary code execution. Versions 3.0.6 through 3.8.14 are susceptible to this vulnerability. An attacker can exploit this by crafting a malicious \u003ccode\u003eelecterm://\u003c/code\u003e URI or by crafting a shortcut/command that launches electerm with attacker-controlled \u003ccode\u003e--opts\u003c/code\u003e arguments. Successful exploitation requires a user to click the malicious link or open the malicious shortcut file. This vulnerability allows attackers to execute arbitrary code on the victim\u0026rsquo;s machine, potentially leading to system compromise, data theft, or other malicious activities. The vulnerability was reported by Curly-Haired-Baboon.\u003c/p\u003e\n\u003ch2 id=\"attack-chain\"\u003eAttack Chain\u003c/h2\u003e\n\u003col\u003e\n\u003cli\u003eThe attacker crafts a malicious \u003ccode\u003eelecterm://\u003c/code\u003e URI or a shortcut/command containing malicious \u003ccode\u003e--opts\u003c/code\u003e arguments.\u003c/li\u003e\n\u003cli\u003eThe attacker distributes the malicious URI or shortcut/command to the victim via social engineering or other means.\u003c/li\u003e\n\u003cli\u003eThe victim clicks on the malicious \u003ccode\u003eelecterm://\u003c/code\u003e URI or opens the malicious shortcut/command.\u003c/li\u003e\n\u003cli\u003eElecterm is launched with the attacker-controlled parameters.\u003c/li\u003e\n\u003cli\u003eDue to insufficient validation of the input, the attacker\u0026rsquo;s payload is processed by Electerm.\u003c/li\u003e\n\u003cli\u003eThe attacker\u0026rsquo;s payload executes arbitrary code on the victim\u0026rsquo;s machine.\u003c/li\u003e\n\u003cli\u003eThe attacker gains control of the compromised system, enabling them to perform malicious activities.\u003c/li\u003e\n\u003c/ol\u003e\n\u003ch2 id=\"impact\"\u003eImpact\u003c/h2\u003e\n\u003cp\u003eSuccessful exploitation of this vulnerability can lead to arbitrary code execution on the victim\u0026rsquo;s machine. This can result in a wide range of malicious activities, including but not limited to, system compromise, data theft, installation of malware, and denial of service. Given the nature of Electerm as a terminal client, attackers could potentially gain access to sensitive credentials and systems managed through the application.\u003c/p\u003e\n\u003ch2 id=\"recommendation\"\u003eRecommendation\u003c/h2\u003e\n\u003cul\u003e\n\u003cli\u003eUpgrade Electerm to version 3.8.15 or later to patch CVE-2026-43944.\u003c/li\u003e\n\u003cli\u003eDisable or unregister electerm protocol handlers (Deep Link settings) as a workaround.\u003c/li\u003e\n\u003cli\u003eAvoid clicking \u003ccode\u003eelecterm://\u003c/code\u003e links from untrusted sources.\u003c/li\u003e\n\u003cli\u003eRefrain from running electerm with untrusted \u003ccode\u003e--opts\u003c/code\u003e arguments or opening \u003ccode\u003e.lnk\u003c/code\u003e / \u003ccode\u003e.desktop\u003c/code\u003e files from untrusted sources.\u003c/li\u003e\n\u003cli\u003eDeploy the Sigma rule \u0026ldquo;Detect Electerm URI Protocol Handler Abuse\u0026rdquo; to identify attempts to exploit this vulnerability by monitoring process execution that involves the electerm protocol.\u003c/li\u003e\n\u003c/ul\u003e\n","date_modified":"2026-05-08T18:46:04Z","date_published":"2026-05-08T18:46:04Z","id":"/briefs/2024-05-electerm-code-exec/","summary":"Electerm versions 3.0.6 through 3.8.14 are vulnerable to arbitrary local code execution via crafted electerm:// URIs or command-line arguments, requiring a user to click a malicious link or open a malicious shortcut file.","title":"Electerm Arbitrary Code Execution via Crafted URI or CLI Arguments","url":"https://feed.craftedsignal.io/briefs/2024-05-electerm-code-exec/"},{"_cs_actors":[],"_cs_cpes":[],"_cs_cves":[{"cvss":7.8,"id":"CVE-2026-43943"}],"_cs_exploited":false,"_cs_has_poc":false,"_cs_poc_references":[],"_cs_products":["electerm (\u003c= 3.7.8)"],"_cs_severities":["high"],"_cs_tags":["rce","electerm","sftp","remote code execution"],"_cs_type":"advisory","_cs_vendors":["electerm"],"content_html":"\u003cp\u003eElecterm, a terminal/ssh/sftp client, is vulnerable to a remote code execution (RCE) attack (CVE-2026-43943) when using the \u0026ldquo;open with system editor\u0026rdquo; or \u0026ldquo;Edit with custom editor\u0026rdquo; feature. This vulnerability affects versions 3.7.8 and earlier. A malicious actor who controls the SSH server or has the ability to manipulate filenames can inject shell metacharacters into a filename. When a user attempts to open the file with the vulnerable feature, Electerm passes the filename directly to the command line without sanitization, leading to command execution with the user\u0026rsquo;s privileges. This allows the attacker to potentially run arbitrary code, install malware, or move laterally within the network. The vulnerability was patched in version 3.7.9.\u003c/p\u003e\n\u003ch2 id=\"attack-chain\"\u003eAttack Chain\u003c/h2\u003e\n\u003col\u003e\n\u003cli\u003eAttacker compromises or sets up a malicious SSH server.\u003c/li\u003e\n\u003cli\u003eAttacker creates a file with a specially crafted filename containing shell metacharacters (e.g., \u003ccode\u003eevil; rm -rf /tmp; touch /tmp/pwned\u003c/code\u003e).\u003c/li\u003e\n\u003cli\u003eVictim connects to the malicious SSH server using Electerm.\u003c/li\u003e\n\u003cli\u003eVictim browses the SFTP file system and sees the attacker-controlled filename.\u003c/li\u003e\n\u003cli\u003eVictim selects the malicious file and chooses the \u0026ldquo;open with system editor\u0026rdquo; or \u0026ldquo;Edit with custom editor\u0026rdquo; option.\u003c/li\u003e\n\u003cli\u003eElecterm executes a command to open the file, passing the malicious filename unsanitized to the system shell (e.g., \u003ccode\u003exdg-open \u0026quot;evil; rm -rf /tmp; touch /tmp/pwned\u0026quot;\u003c/code\u003e).\u003c/li\u003e\n\u003cli\u003eThe shell executes the injected commands, deleting files in \u003ccode\u003e/tmp\u003c/code\u003e and creating a file named \u003ccode\u003e/tmp/pwned\u003c/code\u003e in this example.\u003c/li\u003e\n\u003cli\u003eAttacker achieves arbitrary code execution on the victim\u0026rsquo;s machine with the user\u0026rsquo;s privileges.\u003c/li\u003e\n\u003c/ol\u003e\n\u003ch2 id=\"impact\"\u003eImpact\u003c/h2\u003e\n\u003cp\u003eSuccessful exploitation of this vulnerability allows a malicious actor to execute arbitrary code on the victim\u0026rsquo;s machine. This could lead to a variety of malicious outcomes, including malware installation, data theft, or lateral movement within the victim\u0026rsquo;s network. The number of potential victims is limited to Electerm users who connect to untrusted SSH servers and use the vulnerable \u0026ldquo;open with system editor\u0026rdquo; or \u0026ldquo;Edit with custom editor\u0026rdquo; features. This vulnerability could have significant impact for developers and system administrators who rely on Electerm for remote server management.\u003c/p\u003e\n\u003ch2 id=\"recommendation\"\u003eRecommendation\u003c/h2\u003e\n\u003cul\u003e\n\u003cli\u003eUpgrade Electerm to version 3.7.9 or later to patch CVE-2026-43943.\u003c/li\u003e\n\u003cli\u003eDeploy the Sigma rule \u003ccode\u003eDetect Electerm RCE via Filename\u003c/code\u003e to detect exploitation attempts.\u003c/li\u003e\n\u003cli\u003eUntil a patch can be applied, refrain from using the \u0026ldquo;open with system editor\u0026rdquo; or \u0026ldquo;Edit with custom editor\u0026rdquo; feature when connected to untrusted SSH servers, as recommended in the advisory.\u003c/li\u003e\n\u003cli\u003eIf the \u0026ldquo;open with system editor\u0026rdquo; feature must be used, ensure connections are exclusively established with trusted servers and perform rigorous filename validation before editing.\u003c/li\u003e\n\u003c/ul\u003e\n","date_modified":"2026-05-08T18:43:52Z","date_published":"2026-05-08T18:43:52Z","id":"/briefs/2024-01-electerm-rce/","summary":"A remote code execution vulnerability exists in Electerm versions 3.7.8 and earlier, where a malicious SSH server can inject arbitrary commands into a victim's system by crafting filenames with shell metacharacters that are executed when the user attempts to open or edit the file using the 'open with system editor' or 'edit with custom editor' feature.","title":"Electerm Remote Code Execution Vulnerability via Malicious Filenames","url":"https://feed.craftedsignal.io/briefs/2024-01-electerm-rce/"},{"_cs_actors":[],"_cs_cpes":[],"_cs_cves":[{"cvss":9.6,"id":"CVE-2026-43941"}],"_cs_exploited":false,"_cs_has_poc":false,"_cs_poc_references":[],"_cs_products":["electerm (\u003c= 3.8.15)"],"_cs_severities":["high"],"_cs_tags":["rce","terminal","protocol handler"],"_cs_type":"advisory","_cs_vendors":["electerm"],"content_html":"\u003cp\u003eElecterm, a cross-platform terminal application, is vulnerable to an arbitrary protocol execution vulnerability (CVE-2026-43941) in versions 3.8.15 and earlier. This flaw stems from the application\u0026rsquo;s failure to properly validate URLs passed to the \u003ccode\u003eshell.openExternal\u003c/code\u003e function. An attacker who can control terminal output, such as through a compromised SSH server or a malicious plugin, can inject a crafted URI into the terminal. If a user clicks on this malicious link, Electerm will execute it using the operating system\u0026rsquo;s default protocol handler, potentially leading to code execution, data exfiltration, or other malicious activities. This vulnerability requires user interaction (clicking the link) to be exploited.\u003c/p\u003e\n\u003ch2 id=\"attack-chain\"\u003eAttack Chain\u003c/h2\u003e\n\u003col\u003e\n\u003cli\u003eAttacker compromises a remote SSH server or injects malicious content into terminal output.\u003c/li\u003e\n\u003cli\u003eThe attacker crafts a malicious URI containing a dangerous protocol handler like \u003ccode\u003ems-msdt:\u003c/code\u003e, \u003ccode\u003esearch-ms:\u003c/code\u003e, or \u003ccode\u003efile://\u003c/code\u003e.\u003c/li\u003e\n\u003cli\u003eThe malicious URI is printed to the Electerm terminal connected to the compromised SSH server.\u003c/li\u003e\n\u003cli\u003eThe victim, using Electerm, views the terminal output containing the malicious URI.\u003c/li\u003e\n\u003cli\u003eThe victim clicks on the malicious URI hyperlink in the Electerm terminal.\u003c/li\u003e\n\u003cli\u003eElecterm\u0026rsquo;s \u003ccode\u003eshell.openExternal\u003c/code\u003e function executes the URI without proper validation.\u003c/li\u003e\n\u003cli\u003eThe operating system\u0026rsquo;s default protocol handler is invoked, executing the attacker\u0026rsquo;s payload (e.g., code execution via \u003ccode\u003ems-msdt:\u003c/code\u003e, NTLM hash leak via \u003ccode\u003efile://\u003c/code\u003e).\u003c/li\u003e\n\u003cli\u003eAttacker achieves arbitrary code execution or exfiltrates sensitive information.\u003c/li\u003e\n\u003c/ol\u003e\n\u003ch2 id=\"impact\"\u003eImpact\u003c/h2\u003e\n\u003cp\u003eSuccessful exploitation of this vulnerability (CVE-2026-43941) could allow an attacker to execute arbitrary code on a victim\u0026rsquo;s machine. This could lead to complete system compromise, data theft, or the installation of malware. The vulnerability affects all Electerm users who interact with untrusted terminal outputs. The number of potential victims is dependent on Electerm\u0026rsquo;s user base. If successfully exploited, an attacker gains the privileges of the user running Electerm.\u003c/p\u003e\n\u003ch2 id=\"recommendation\"\u003eRecommendation\u003c/h2\u003e\n\u003cul\u003e\n\u003cli\u003eDeploy the Sigma rule \u0026ldquo;Detect Electerm Suspicious URI Invocation\u0026rdquo; to detect attempts to exploit CVE-2026-43941 by monitoring process creations with unusual protocol handlers (see rule definition below).\u003c/li\u003e\n\u003cli\u003eApply the workaround to disable hyperlink rendering in electerm\u0026rsquo;s terminal settings until a patch is available.\u003c/li\u003e\n\u003cli\u003eMonitor the electerm GitHub releases and security page for an update addressing this issue.\u003c/li\u003e\n\u003c/ul\u003e\n","date_modified":"2024-07-03T12:00:00Z","date_published":"2024-07-03T12:00:00Z","id":"/briefs/2024-07-electerm-rce/","summary":"Electerm versions 3.8.15 and earlier are vulnerable to arbitrary code execution due to improper validation of URLs, allowing attackers to execute commands by tricking users into clicking malicious links in the terminal.","title":"Electerm Arbitrary Protocol Execution Vulnerability","url":"https://feed.craftedsignal.io/briefs/2024-07-electerm-rce/"},{"_cs_actors":[],"_cs_cpes":[],"_cs_cves":[{"cvss":8.4,"id":"CVE-2026-43940"}],"_cs_exploited":false,"_cs_has_poc":false,"_cs_poc_references":[],"_cs_products":["electerm (\u003c 3.7.16)"],"_cs_severities":["critical"],"_cs_tags":["path-traversal","code-execution","electerm"],"_cs_type":"advisory","_cs_vendors":["electerm"],"content_html":"\u003cp\u003eElecterm versions before 3.7.16 are susceptible to a critical path traversal vulnerability within the \u003ccode\u003erunWidget\u003c/code\u003e function located in \u003ccode\u003esrc/app/widgets/load-widget.js\u003c/code\u003e. This function insecurely constructs file paths by concatenating user-supplied widget identifiers without proper sanitization. Successful exploitation of CVE-2026-43940 allows an attacker with JavaScript execution within the renderer process to load and execute arbitrary JavaScript files anywhere on the victim’s filesystem. This results in local code execution with the full privileges of the Electerm process, potentially leading to complete system compromise on Windows 10 and Linux systems. The vulnerability was confirmed on v3.7.9, Win10.\u003c/p\u003e\n\u003ch2 id=\"attack-chain\"\u003eAttack Chain\u003c/h2\u003e\n\u003col\u003e\n\u003cli\u003eAttacker gains initial JavaScript execution within Electerm\u0026rsquo;s renderer process, possibly via a malicious plugin or XSS.\u003c/li\u003e\n\u003cli\u003eThe attacker crafts a malicious widget identifier containing path traversal sequences (e.g., \u003ccode\u003e../\u003c/code\u003e).\u003c/li\u003e\n\u003cli\u003eThe malicious widget identifier is passed to the \u003ccode\u003erunWidget\u003c/code\u003e function via an asynchronous IPC handler.\u003c/li\u003e\n\u003cli\u003eThe \u003ccode\u003erunWidget\u003c/code\u003e function concatenates the unsanitized widget identifier into a file path: \u003ccode\u003ewidget-${widgetId}.js\u003c/code\u003e.\u003c/li\u003e\n\u003cli\u003eThe resulting file path includes the path traversal sequences, allowing access to arbitrary files.\u003c/li\u003e\n\u003cli\u003eThe \u003ccode\u003erequire()\u003c/code\u003e function attempts to load and execute the JavaScript file at the attacker-controlled path.\u003c/li\u003e\n\u003cli\u003eIf the path traversal is successful, an arbitrary JavaScript file is executed with Electerm process privileges.\u003c/li\u003e\n\u003cli\u003eThe attacker achieves arbitrary code execution, leading to complete system compromise.\u003c/li\u003e\n\u003c/ol\u003e\n\u003ch2 id=\"impact\"\u003eImpact\u003c/h2\u003e\n\u003cp\u003eSuccessful exploitation of this vulnerability grants an attacker local code execution with the privileges of the Electerm process. This enables them to perform actions such as installing malware, stealing sensitive data, or compromising the entire system. The vulnerability affects Electerm users on Windows 10 and Linux systems who are running versions prior to 3.7.16. A successful attack could lead to complete system compromise.\u003c/p\u003e\n\u003ch2 id=\"recommendation\"\u003eRecommendation\u003c/h2\u003e\n\u003cul\u003e\n\u003cli\u003eUpgrade Electerm to version 3.7.16 or later to patch CVE-2026-43940.\u003c/li\u003e\n\u003cli\u003eDeploy the Sigma rule \u003ccode\u003eDetect Suspicious Electerm Widget Loading\u003c/code\u003e to your SIEM and tune for your environment to detect path traversal attempts.\u003c/li\u003e\n\u003cli\u003eEnable process creation logging on Windows and Linux systems to enhance visibility and enable the \u003ccode\u003eDetect Suspicious Electerm Widget Loading\u003c/code\u003e rule.\u003c/li\u003e\n\u003c/ul\u003e\n","date_modified":"2024-05-09T12:00:00Z","date_published":"2024-05-09T12:00:00Z","id":"/briefs/2024-05-electerm-rce/","summary":"Electerm versions prior to 3.7.16 are vulnerable to path traversal, leading to arbitrary code execution through unsanitized widget identifiers.","title":"Electerm Path Traversal Vulnerability Leads to Arbitrary Code Execution","url":"https://feed.craftedsignal.io/briefs/2024-05-electerm-rce/"}],"language":"en","title":"CraftedSignal Threat Feed — Electerm","version":"https://jsonfeed.org/version/1.1"}