HIGH 7.8

CVE-2026-45353: Electerm Terminal Client Local Privilege Escalation Vulnerability

Electerm, an open-source multi-protocol terminal and remote access client supporting SSH, SFTP, Telnet, serial ports, RDP, VNC, Spice, and FTP, contains a high-severity vulnerability affecting versions 3.0.6 through 3.8.8. The issue stems from improper file permissions and unsafe code execution patterns that allow a local attacker with standard user privileges to gain full control over system resources—reading sensitive data, modifying files, and disrupting availability. The vulnerability is resolved in version 3.9.0.

Source data · NVD / CISA · public domain

CVSS
3.1 · 7.8 HIGH · CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
Weaknesses (CWE)
CWE-732, CWE-94, CWE-940
Affected products
1 configuration(s)
Published / Modified
2026-05-28 / 2026-06-17

NVD description (verbatim)

electerm is an open-sourced terminal/ssh/sftp/telnet/serialport/RDP/VNC/Spice/ftp client. From 3.0.6 to 3.8.8, This vulnerability is fixed in 3.9.0.

2 reference(s) · View on NVD →

SEC.co analysis · AI-assisted, reviewed against source

Technical summary

This vulnerability involves a combination of weak file permission controls (CWE-732), unsafe code evaluation (CWE-94), and improper input handling (CWE-940). The flaw allows a low-privileged local attacker to exploit inadequate permission boundaries and code execution mechanisms within electerm's architecture. Given the CVSS 3.1 vector AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H, exploitation requires local access and valid credentials but no user interaction, enabling confidentiality, integrity, and availability compromise without privilege escalation requirements.

Business impact

Organizations using electerm as a centralized terminal client face elevated risk to data confidentiality and operational continuity. Compromised terminal sessions could expose credentials, session keys, and connection metadata to privileged local attackers. In environments where electerm serves as a jump host or access gateway, successful exploitation may grant attackers lateral movement pathways into critical infrastructure. The high impact across all three security pillars (CIA) demands urgent remediation in production deployments.

Affected systems

Electerm versions 3.0.6 through 3.8.8 are vulnerable. This includes both deployed instances and development environments where the software is actively used. The impact is primarily on systems where local attackers can interact with the file system—virtual machines, shared hosting environments, and multi-tenant infrastructures present elevated risk. Check your deployment inventory for active versions; note that versions prior to 3.0.6 and 3.9.0 and later are not affected.

Exploitability

The vulnerability is practical to exploit in real-world scenarios where local user access exists, but does not require high privileges—a standard user account is sufficient. No network access or user interaction is necessary. However, exploitation is limited to local attack vectors; remote exploitation is not possible. The straightforward nature of local privilege abuse suggests reliable exploitation tools are feasible, though no public exploit has been documented to date and the vulnerability is not yet tracked in CISA's Known Exploited Vulnerabilities (KEV) catalog.

Remediation

Upgrade electerm to version 3.9.0 or later immediately. This release patches the permission and code execution flaws. Before upgrading, audit your deployment to identify all instances running affected versions, particularly in production terminal access infrastructure. If immediate patching is not feasible, implement strict file system access controls and monitor electerm process execution for anomalous behavior as temporary mitigation.

Patch guidance

Apply the 3.9.0 release from the electerm project repository. Verify the upgrade by confirming the version string in the application UI or command-line interface. Test patched instances in a non-production environment to ensure compatibility with your terminal workflows and remote protocol configurations before rolling out to production. Review release notes for any breaking changes or configuration adjustments. For organizations using electerm in containerized or orchestrated environments, rebuild container images and redeploy accordingly.

Detection guidance

Monitor file system access patterns around electerm configuration and session cache directories for unexpected permission changes or unauthorized reads. Inspect process execution logs for electerm spawning child processes with elevated privileges or executing unexpected code. File integrity monitoring tools can detect tampering with electerm binaries or libraries. Log all local user activities on systems running electerm, and correlate unusual file operations with known user workflows. In environments with security event correlation, flag any electerm process interactions that deviate from baseline terminal and protocol operation patterns.

Why prioritize this

Despite the local-only attack vector, the high CVSS score (7.8) reflects severe confidentiality, integrity, and availability impact. The vulnerability's presence in popular multi-protocol terminal software used for infrastructure access amplifies risk—compromised sessions can cascade into lateral movement attacks. The straightforward exploitation path and lack of complex prerequisites elevate practical threat likelihood. Prioritize this above lower-impact network-accessible flaws and alongside other local privilege escalation vulnerabilities in your patch strategy.

Risk score, explained

The CVSS 3.1 score of 7.8 (HIGH) reflects the combination of local attack surface (AV:L), low attack complexity (AC:L), low privilege requirement (PR:L), and high impact across confidentiality, integrity, and availability (C:H/I:H/A:H). The lack of scope change (S:U) indicates the attack stays within the affected component. While the local-only vector prevents remote exploitation, the ease of exploitation for any local user, coupled with the terminal client's role in accessing sensitive systems, justifies the high severity classification. This is not a critical remote code execution flaw, but it is a serious local control vulnerability that warrants expedited patching in any multi-user or shared-host environment.

Frequently asked questions

Does this vulnerability require network access to exploit?

No. This is a local-only vulnerability requiring an attacker to have valid user credentials and access to the system where electerm is installed. Remote exploitation is not possible; network-based detection and prevention are not applicable.

If we run electerm in a restricted container or sandbox, are we still at risk?

Risk is substantially reduced but not eliminated. Container or user namespace isolation can mitigate local privilege escalation if electerm is confined to a separate security context. However, if an attacker gains a foothold within that container or context, they can still exploit the vulnerability to escalate within that boundary. Confirm your isolation strategy accounts for local user attacks within the container.

What versions of electerm should we be running?

Upgrade to version 3.9.0 or later. Versions 3.0.6 through 3.8.8 are vulnerable. If you are running an older version (prior to 3.0.6), verify it is no longer in active use, as it may harbor other unpatched issues.

Is there a workaround if we cannot patch immediately?

Patching is the recommended fix. As a temporary measure, restrict file system permissions on electerm's configuration and cache directories to the minimum necessary, disable local user shell access where possible, and implement continuous monitoring of electerm process execution and file system activity. These steps reduce but do not eliminate risk.

This analysis is based on publicly available vulnerability data as of the publication date. CVSS scores and affected versions are as provided by official sources and should be verified against the electerm project's official advisory and repository. This explainer is informational and does not constitute professional security advice. Organizations should conduct their own risk assessment, testing, and deployment planning. Always verify patch applicability and compatibility in your specific environment before production deployment. SEC.co makes no guarantee regarding the completeness or real-time accuracy of this intelligence and recommends cross-referencing official vendor advisories and security resources. Source: NVD (public-domain), retrieved 2026-07-07. Analysis generated by SEC.co (claude-haiku-4-5).