Skip to main content

Termix EUVDEUVD-2026-34877

| CVE-2026-45749 HIGH
Use of Single-factor Authentication (CWE-308)
2026-06-05 GitHub_M
8.1
CVSS 3.1 · GitHub Advisory
Share

Severity by source

GitHub Advisory PRIMARY
8.1 HIGH
AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:N

Primary rating from GitHub Advisory · only source for this CVE.

CVSS VectorGitHub Advisory

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:N
Attack Vector
Network
Attack Complexity
Low
Privileges Required
Low
User Interaction
None
Scope
Unchanged
Confidentiality
High
Integrity
High
Availability
None

Lifecycle Timeline

3
Patch available
Jun 05, 2026 - 20:02 EUVD
Source Code Evidence Fetched
Jun 05, 2026 - 18:43 vuln.today
Analysis Generated
Jun 05, 2026 - 18:43 vuln.today

DescriptionGitHub Advisory

Termix is a web-based server management platform with SSH terminal, tunneling, and file editing capabilities. The POST /users/totp/disable and POST /users/totp/backup-codes endpoints in Termix prior to version 2.3.2 accept the account password as a sole authentication factor for MFA-critical operations. An attacker who obtains a user's password (phishing, credential stuffing, the passwordHash leak in GHSA-xxxx) can disable TOTP entirely or regenerate backup codes, without ever possessing the TOTP device or knowing a valid TOTP code. This renders two-factor authentication ineffective. Version 2.3.2 patches the issue.

AnalysisAI

Authentication bypass of MFA in Termix versions prior to 2.3.2 allows an attacker who already holds a victim's account password to disable TOTP or regenerate backup codes via the POST /users/totp/disable and POST /users/totp/backup-codes endpoints, completely neutralizing the second factor. The flaw stems from these MFA-critical endpoints accepting the account password as the sole authentication factor, meaning credential stuffing, phishing, or a leaked password hash (referenced as GHSA-xxxx) is sufficient to defeat 2FA. …

Unlock full vulnerability intelligence

  • Risk assessment & exploitation conditions
  • Attack chain visualization
  • Remediation with exact patch versions
  • Threat intelligence from 22 sources
  • Personal watchlist & email alerts

Free forever · No credit card required

Attack ChainAIDerived

Hypothetical attack flow derived from CVE metadata

Recon
Obtain victim password via phishing or hash leak
Delivery
Authenticate to Termix web UI
Exploit
POST /users/totp/disable or /users/totp/backup-codes
Install
Server accepts password-only check
C2
MFA disabled or backup codes rotated
Execute
Log in as victim bypassing 2FA
Impact
Pivot to managed SSH hosts and tunnels

Vulnerability AssessmentAI

Exploitation The attacker must already possess the victim's Termix account password (via phishing, credential stuffing, or the related passwordHash leak cited in the advisory as GHSA-xxxx) and must reach a Termix instance prior to version 2.3.2 over the network - no TOTP code, backup code, or possession of the second-factor device is required. … Additional conditions and limiting factors are described in the full assessment.
Risk Assessment The CVSS 8.1 vector (AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:N) reflects a network-reachable, low-complexity attack requiring only low privileges (an existing authenticated session via stolen password) with high confidentiality and integrity impact and no user interaction - a realistic profile for a post-credential-compromise scenario. … Full risk analysis with EPSS, KEV, and SSVC signal comparison available after sign-in.
Exploit Scenario An attacker phishes or credential-stuffs a Termix user's password, or reuses a hash recovered from the related passwordHash leak referenced in the advisory, and logs into the web UI. They then issue a POST /users/totp/disable request (authenticated only by that password) to switch off TOTP, or POST /users/totp/backup-codes to mint fresh recovery codes, and from there log in cleanly as the victim to pivot into managed SSH hosts, tunnels, and stored credentials. …
Remediation Vendor-released patch: upgrade to Termix 2.3.2 or later, available at https://github.com/Termix-SSH/Termix/releases/tag/release-2.3.2-tag, which corrects the authentication policy on POST /users/totp/disable and POST /users/totp/backup-codes. … Detailed patch versions, workarounds, and compensating controls in full report.

Recommended ActionAI

Within 24 hours: Identify all Termix instances in use and document their versions; alert security operations and SOC to monitor authentication logs for suspicious MFA modification attempts. …

Sign in for detailed remediation steps and compensating controls.

Threat intelligence, references, and detailed analysis are available after sign-in.

More in Termix

View all
CVE-2025-59951 CRITICAL POC
9.1 Oct 01

Docker default credentials in Termix server management. PoC and patch available.

CVE-2026-22804 HIGH POC
8.0 Jan 12

Stored XSS in Termix File Manager (versions 1.7.0-1.9.0) allows attackers with SSH server access to execute arbitrary Ja

CVE-2026-45744 CRITICAL
9.9 Jun 05

Remote command execution in Termix web-based server management platform (versions prior to 2.3.2) allows any authenticat

CVE-2026-45748 CRITICAL
9.8 Jun 05

OS command injection in Termix web-based server management platform prior to version 2.3.2 allows remote unauthenticated

CVE-2026-45746 CRITICAL
9.0 Jun 05

Cross-tenant remote code execution in Termix (web-based SSH/file management platform) prior to version 2.3.2 allows an a

CVE-2026-45750 CRITICAL
9.0 Jun 05

Command injection in Termix server management platform before version 2.3.2 allows authenticated users to execute arbitr

CVE-2026-42453 HIGH
8.7 May 08

Termix is a web-based server management platform with SSH terminal, tunneling, and file editing capabilities. Prior to v

CVE-2026-45743 HIGH
8.1 Jun 05

Cross-tenant SSH session hijacking in Termix versions prior to 2.3.2 allows any authenticated user to fully control anot

CVE-2026-42452 HIGH
8.1 May 08

Termix is a web-based server management platform with SSH terminal, tunneling, and file editing capabilities. Prior to v

CVE-2026-45745 HIGH
8.0 Jun 05

Machine-in-the-middle interception of HTTPS traffic in Termix Desktop (Electron) starting at version 1.7.0 allows attack

Share

EUVD-2026-34877 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy