Severity by source
AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:N
Primary rating from GitHub Advisory · only source for this CVE.
CVSS VectorGitHub Advisory
CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:N
Lifecycle Timeline
3DescriptionGitHub Advisory
Termix is a web-based server management platform with SSH terminal, tunneling, and file editing capabilities. The POST /users/totp/disable and POST /users/totp/backup-codes endpoints in Termix prior to version 2.3.2 accept the account password as a sole authentication factor for MFA-critical operations. An attacker who obtains a user's password (phishing, credential stuffing, the passwordHash leak in GHSA-xxxx) can disable TOTP entirely or regenerate backup codes, without ever possessing the TOTP device or knowing a valid TOTP code. This renders two-factor authentication ineffective. Version 2.3.2 patches the issue.
AnalysisAI
Authentication bypass of MFA in Termix versions prior to 2.3.2 allows an attacker who already holds a victim's account password to disable TOTP or regenerate backup codes via the POST /users/totp/disable and POST /users/totp/backup-codes endpoints, completely neutralizing the second factor. The flaw stems from these MFA-critical endpoints accepting the account password as the sole authentication factor, meaning credential stuffing, phishing, or a leaked password hash (referenced as GHSA-xxxx) is sufficient to defeat 2FA. …
Unlock full vulnerability intelligence
- Risk assessment & exploitation conditions
- Attack chain visualization
- Remediation with exact patch versions
- Threat intelligence from 22 sources
- Personal watchlist & email alerts
Free forever · No credit card required
Attack ChainAIDerived
Hypothetical attack flow derived from CVE metadata
Vulnerability AssessmentAI
| Exploitation | The attacker must already possess the victim's Termix account password (via phishing, credential stuffing, or the related passwordHash leak cited in the advisory as GHSA-xxxx) and must reach a Termix instance prior to version 2.3.2 over the network - no TOTP code, backup code, or possession of the second-factor device is required. … Additional conditions and limiting factors are described in the full assessment. |
| Risk Assessment | The CVSS 8.1 vector (AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:N) reflects a network-reachable, low-complexity attack requiring only low privileges (an existing authenticated session via stolen password) with high confidentiality and integrity impact and no user interaction - a realistic profile for a post-credential-compromise scenario. … Full risk analysis with EPSS, KEV, and SSVC signal comparison available after sign-in. |
| Exploit Scenario | An attacker phishes or credential-stuffs a Termix user's password, or reuses a hash recovered from the related passwordHash leak referenced in the advisory, and logs into the web UI. They then issue a POST /users/totp/disable request (authenticated only by that password) to switch off TOTP, or POST /users/totp/backup-codes to mint fresh recovery codes, and from there log in cleanly as the victim to pivot into managed SSH hosts, tunnels, and stored credentials. … |
| Remediation | Vendor-released patch: upgrade to Termix 2.3.2 or later, available at https://github.com/Termix-SSH/Termix/releases/tag/release-2.3.2-tag, which corrects the authentication policy on POST /users/totp/disable and POST /users/totp/backup-codes. … Detailed patch versions, workarounds, and compensating controls in full report. |
Recommended ActionAI
Within 24 hours: Identify all Termix instances in use and document their versions; alert security operations and SOC to monitor authentication logs for suspicious MFA modification attempts. …
Sign in for detailed remediation steps and compensating controls.
Threat intelligence, references, and detailed analysis are available after sign-in.
Docker default credentials in Termix server management. PoC and patch available.
Stored XSS in Termix File Manager (versions 1.7.0-1.9.0) allows attackers with SSH server access to execute arbitrary Ja
Remote command execution in Termix web-based server management platform (versions prior to 2.3.2) allows any authenticat
OS command injection in Termix web-based server management platform prior to version 2.3.2 allows remote unauthenticated
Cross-tenant remote code execution in Termix (web-based SSH/file management platform) prior to version 2.3.2 allows an a
Command injection in Termix server management platform before version 2.3.2 allows authenticated users to execute arbitr
Termix is a web-based server management platform with SSH terminal, tunneling, and file editing capabilities. Prior to v
Cross-tenant SSH session hijacking in Termix versions prior to 2.3.2 allows any authenticated user to fully control anot
Termix is a web-based server management platform with SSH terminal, tunneling, and file editing capabilities. Prior to v
Machine-in-the-middle interception of HTTPS traffic in Termix Desktop (Electron) starting at version 1.7.0 allows attack
Same weakness CWE-308 – Use of Single-factor Authentication
View allSame technique Information Disclosure
View allShare
External POC / Exploit Code
Leaving vuln.today
EUVD-2026-34877