HIGH 8.1

CVE-2026-45743: Termix Authorization Bypass in SSH File Manager

Termix is a web-based platform for managing remote servers via SSH, offering terminal access, port tunneling, and file editing. A critical flaw in 16 file-manager endpoints allows any authenticated user to hijack another user's active SSH session by guessing or learning their session ID. Once hijacked, an attacker gains full file access on the victim's connected server—they can read sensitive files, modify or delete critical data, download files, and execute arbitrary commands. This is a privilege escalation vulnerability: you only need valid credentials to Termix itself, not the target SSH host. The vulnerability has been fixed in version 2.3.2.

Source data · NVD / CISA · public domain

CVSS
3.1 · 8.1 HIGH · CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:N
Weaknesses (CWE)
CWE-639
Affected products
1 configuration(s)
Published / Modified
2026-06-05 / 2026-06-17

NVD description (verbatim)

Termix is a web-based server management platform with SSH terminal, tunneling, and file editing capabilities. 16 file-manager endpoints in Termix prior to version 2.3.2 do not verify that the requesting user owns the SSH session identified by `sessionId`. An authenticated attacker who knows or guesses another user's active `sessionId` can read, write, delete, download, and execute files on the victim's connected SSH host. Version 2.3.2 patches the issue.

3 reference(s) · View on NVD →

SEC.co analysis · AI-assisted, reviewed against source

Technical summary

The vulnerability is an authorization bypass (CWE-639: Authorization through User-Controlled Key) affecting 16 file-manager API endpoints in Termix versions prior to 2.3.2. These endpoints accept a `sessionId` parameter to identify which SSH session a file operation applies to, but fail to validate that the authenticated user making the request actually owns that session. An attacker with valid Termix credentials can enumerate or brute-force active session IDs—potentially low-entropy or sequential—and invoke file operations (read, write, delete, download, execute) on any victim's connected SSH host without the victim's knowledge or consent. The attack requires network access to Termix and valid authentication credentials, but no interaction with the target SSH host itself.

Business impact

Organizations using Termix for team-based SSH management face significant data theft and integrity risks. An employee with legitimate Termix access (or an external attacker who has compromised one employee's credentials) can silently exfiltrate sensitive data from colleagues' connected servers, plant backdoors or malware, destroy logs or production data, or trigger destructive commands. This is particularly damaging in shared DevOps, infrastructure, or cloud-management environments where multiple users connect to the same critical hosts. Incident response is complicated because the attacker's actions appear to originate from a legitimate SSH session, obscuring the true origin. Compliance violations (data loss, unauthorized modification) are likely for regulated industries.

Affected systems

Termix versions prior to 2.3.2 are affected. All deployments of Termix in that version range are at risk if they have multiple users with active SSH sessions. The vulnerability applies to any SSH host that users connect to via Termix; the SSH host itself does not need to be outdated or misconfigured. Termix installations in air-gapped or internal-only networks are not immune—insider threats or lateral movement by a compromised employee remains a viable attack path.

Exploitability

Exploitability is moderately straightforward. An attacker needs valid Termix credentials (not elevated privilege; a regular user account suffices), which may be obtained through credential compromise, insider threat, or social engineering. Session ID enumeration or brute-force is the main technical hurdle; if session IDs are poorly randomized or predictable, exploitation becomes trivial. No interaction with the victim is required, no user-controlled choice needs to be made, and no complex conditions need to be met—just sending a file-manager API request with a guessed `sessionId`. The CVSS score of 8.1 (HIGH) reflects low attack complexity, low privilege requirement, and high impact on confidentiality and integrity, though availability of the Termix service itself is not directly affected.

Remediation

Immediately upgrade Termix to version 2.3.2 or later. This is the only remediation provided by the vendor. Do not wait for a scheduled maintenance window if Termix is used for critical infrastructure access. For organizations unable to patch immediately, enforce strict network segmentation (Termix should be accessible only to trusted users and networks), implement IP whitelisting or VPN-only access to Termix, monitor and log all file-manager API requests for anomalies, and disable Termix features if they are not actively used. However, these controls are temporary; patching is mandatory.

Patch guidance

Upgrade to Termix version 2.3.2 or later. Verify the patch against the Termix vendor advisory to confirm the version number and any associated release notes. Test the upgrade in a non-production environment first to ensure compatibility with your workflows and any customizations. After patching, restart Termix services and any dependent applications. Confirm that active SSH sessions remain functional and that file-manager operations complete successfully. No database migrations or configuration changes are mentioned in the patch; however, review the vendor advisory for any specific post-upgrade steps. If you are running a version between the earliest released version and 2.3.2, you are affected and must patch.

Detection guidance

Monitor Termix API access logs for anomalies: (1) file-manager endpoints being invoked by users for sessions they did not initiate, (2) rapid or sequential `sessionId` values in requests (suggesting enumeration), (3) file operations (delete, execute) on sessions belonging to other users, (4) access patterns that deviate from normal behavior (e.g., a user suddenly accessing a session from a different geographic location or IP). Implement alerting on failed file-manager requests with mismatched `sessionId` ownership. Audit active SSH sessions and their associated users to identify orphaned or compromised sessions. Cross-reference Termix audit logs with SSH host logs to identify file operations that do not correlate with the expected user. Note that if the attacker is careful, detection may be limited to Termix-side logs; SSH host logs will show the hijacked user's credentials, not the attacker's.

Why prioritize this

This vulnerability should be prioritized for immediate patching due to the combination of moderate exploitability (requires valid credentials but straightforward enumeration/brute-force of session IDs), high impact (full file access including read, write, delete, execute), and broad applicability to any Termix deployment with multiple concurrent users. The CVSS score of 8.1 and the nature of the flaw (authorization bypass on critical file operations) make it a high-risk issue. If Termix is used for production infrastructure or sensitive data access, this is a critical patch. Even if Termix is used only for non-sensitive administration, the ability to hijack and impersonate another user's session is a significant security control failure that undermines trust in the platform.

Risk score, explained

CVE-2026-45743 has a CVSS 3.1 score of 8.1 (HIGH) based on the vector CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:N. This reflects: (1) Network-accessible attack vector (AV:N) — no physical access needed; (2) Low attack complexity (AC:L) — no special conditions or timing required; (3) Low privilege requirement (PR:L) — a standard authenticated user can exploit it; (4) No user interaction (UI:N) — the victim need not click a link or take action; (5) Unchanged scope (S:U) — the attacker does not escape Termix's security perimeter to compromise other systems, but (6) High confidentiality and integrity impact (C:H, I:H) — full read and write access to files on the victim's SSH host; (7) No availability impact (A:N) — the SSH host itself remains functional. The score accurately captures a serious but not critical flaw—it is below the 9.0 threshold for CRITICAL, but well above the 5.5 baseline for MEDIUM.

Frequently asked questions

Do I need Termix admin credentials to exploit this, or can a regular user do it?

A regular, non-admin Termix user can exploit this vulnerability. Any authenticated user with access to Termix's file-manager endpoints can attempt to hijack another user's session. Admin credentials are not required.

How would an attacker find another user's sessionId if it's not publicly listed?

Session IDs may be enumerated by brute-force (if they are sequential or low-entropy), leaked in logs or error messages, inferred from timing patterns of user activity, or obtained if the attacker has access to Termix's database or API responses. If session IDs follow a predictable pattern, an attacker can generate a list of likely values. The vulnerability does not require prior knowledge of the exact session ID; trial-and-error is sufficient.

Does upgrading to 2.3.2 require downtime or a full redeployment?

Verify with the Termix vendor advisory for specific upgrade steps. Typically, patching involves updating the Termix application binaries and restarting the service. Most patches do not require database migrations or configuration rewrites, but you should test in a staging environment and plan a maintenance window to minimize disruption.

If our Termix instance is only used by a small, trusted team, is this vulnerability less risky?

Not significantly. The vulnerability still allows insider threats or a single compromised credential to cascade into a multi-user compromise. Even a trusted team member who is compromised by malware or phishing, or a disgruntled employee, can exploit this flaw. Size and trust of the user base do not mitigate the underlying authorization bypass. Patching is still mandatory.

This analysis is provided for informational purposes only and should not be construed as professional security advice. Organizations must verify all vulnerability details, patch availability, and vendor guidance directly with Termix and their own security teams. No exploit code or weaponized proof-of-concept is provided. Patch testing should occur in controlled, non-production environments before deployment to live systems. SEC.co makes no warranty regarding the completeness or accuracy of this analysis and assumes no liability for damages resulting from reliance on this information. Source: NVD (public-domain), retrieved 2026-07-14. Analysis generated by SEC.co (claude-haiku-4-5).