CVE-2026-45749: Termix MFA Bypass via Password-Only Authentication
Termix, a web-based server management platform, has a critical flaw in how it protects two-factor authentication (2FA) settings. Before version 2.3.2, an attacker who knows a user's password can disable TOTP (a common 2FA method) or reset backup codes without needing the user's phone or any 2FA code. This means that if your password leaks—whether through phishing, credential stuffing, or a separate data breach—an attacker can lock you out of your 2FA protection and gain full access to your account. The vulnerability has been patched in version 2.3.2.
Source data · NVD / CISA · public domain
- CVSS
- 3.1 · 8.1 HIGH · CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:N
- Weaknesses (CWE)
- CWE-308
- Affected products
- 1 configuration(s)
- Published / Modified
- 2026-06-05 / 2026-06-17
NVD description (verbatim)
Termix is a web-based server management platform with SSH terminal, tunneling, and file editing capabilities. The `POST /users/totp/disable` and `POST /users/totp/backup-codes` endpoints in Termix prior to version 2.3.2 accept the account password as a sole authentication factor for MFA-critical operations. An attacker who obtains a user's password (phishing, credential stuffing, the passwordHash leak in GHSA-xxxx) can disable TOTP entirely or regenerate backup codes, without ever possessing the TOTP device or knowing a valid TOTP code. This renders two-factor authentication ineffective. Version 2.3.2 patches the issue.
3 reference(s) · View on NVD →
SEC.co analysis · AI-assisted, reviewed against source
Technical summary
Termix versions prior to 2.3.2 do not enforce second-factor verification on the `/users/totp/disable` and `/users/totp/backup-codes` endpoints. These endpoints accept only the user's account password as authentication, despite their role in managing MFA recovery and bypass mechanisms. An attacker with valid credentials (PR:L) can make unauthenticated POST requests to these endpoints, supply the password, and immediately strip or regenerate 2FA tokens without possessing the TOTP device or providing a valid time-based code. This violates the principle that changes to security-critical account features should require re-authentication with the same or higher security factor. The CWE-308 classification reflects insufficient verification of data authenticity.
Business impact
Organizations using Termix for server access management face a significant reduction in actual security posture despite believing 2FA is in place. A password compromise—often the initial foothold in credential-stuffing campaigns or phishing attacks—becomes a complete account takeover without additional friction. For IT teams managing infrastructure via Termix, this means attackers can gain undetected terminal access, modify configurations, exfiltrate data, or deploy persistence mechanisms. The impact is particularly severe in environments where Termix is the gateway to sensitive production systems. Until patched, the 2FA implementation provides only single-factor protection during active compromise.
Affected systems
Termix versions before 2.3.2 are vulnerable. The affected endpoints are account-management features accessible to any authenticated user modifying their own settings or (depending on permission model) other users' MFA. Verify your current Termix deployment version against the vendor advisory to confirm whether you are running 2.3.2 or later. Organizations should check deployment manifests, container registries, and any air-gapped instances separately.
Exploitability
This vulnerability requires a valid user password but does not require the TOTP device, a backup code, or any other second factor. The attack surface is broad: any user account whose password has been compromised (or leaked in a third-party breach and reused) is immediately at risk. The endpoints are network-accessible (AV:N) and do not require special user interaction or complex exploitation techniques (AC:L). The attack can be automated and executed at scale. Given the prevalence of credential leaks and password reuse, the practical exploitability is high even though it formally requires prior authenticated access.
Remediation
Upgrade Termix to version 2.3.2 or later as soon as possible. Verify the upgrade is complete and restart all Termix services. After patching, review user activity logs for unauthorized TOTP disablement or backup-code regeneration, particularly around the published vulnerability date (2026-06-05). Force a password reset for high-value accounts (admins, service accounts) to invalidate any stolen credentials. Implement additional monitoring on MFA configuration endpoints. If Termix is internet-facing, consider temporarily restricting access via firewall or WAF rules to known IP ranges pending patch deployment.
Patch guidance
Version 2.3.2 of Termix includes the fix. Update from your current version to 2.3.2 or the latest available release. Consult the Termix release notes and vendor advisory for any migration or configuration changes required. Test the patch in a non-production environment first, paying particular attention to MFA workflows: verify that TOTP disable and backup-code regeneration now require successful TOTP challenge or another equally strong second factor. After production deployment, confirm all instances are running the patched version via version queries or package manifests.
Detection guidance
Monitor logs for repeated POST requests to `/users/totp/disable` or `/users/totp/backup-codes` from the same source IP or user account, especially outside normal business hours. Alert on successful password-authenticated requests to these endpoints followed immediately by a login without TOTP challenge. Check for backup-code regeneration events that do not correspond to user-initiated password resets or account recovery workflows. Correlate MFA-disablement events with concurrent failed MFA attempts or with logins from unusual geolocations. Query access logs for evidence of past unauthorized MFA changes in the window between 2026-06-05 and your patch deployment date.
Why prioritize this
This vulnerability rates HIGH (CVSS 8.1) because it directly undermines a critical compensating control—two-factor authentication—with only password-level authentication required. A password compromise, which is common and often invisible to the user, becomes a complete account takeover. For server management platforms like Termix, account takeover means unrestricted infrastructure access. The lack of KEV designation does not reflect the severity; organizations should not deprioritize based on KEV status. Patch immediately.
Risk score, explained
The CVSS 3.1 score of 8.1 (HIGH) reflects a network-accessible endpoint (AV:N) requiring only low privilege (PR:L—valid credentials) with no user interaction (UI:N), granting high confidentiality and integrity impact (C:H, I:H) on the user's account and systems accessible through it. The score does not account for availability impact (A:N) because the vulnerability is about unauthorized disablement of controls, not system DoS. The impact scope is unchanged (S:U), meaning the damage is limited to the user's own security context, but the ease of exploitation and the criticality of the affected feature (MFA bypass) elevate the score to HIGH. Given the vulnerability's role in breaking 2FA, the practical risk may exceed the numeric score.
Frequently asked questions
Does this vulnerability allow an attacker to gain access to Termix without any credentials?
No. The attacker must already have a valid username and password for a Termix account. However, passwords are commonly compromised through phishing, credential stuffing, or reused passwords from unrelated breaches. Once a password is obtained, the attacker can disable 2FA without needing the user's phone or TOTP codes, making further account compromise trivial.
If I have already patched to version 2.3.2, am I fully protected?
The patch prevents future MFA-disablement attacks through this vulnerability. However, you should check whether any unauthorized MFA changes occurred before your patch was deployed. Review logs for suspicious TOTP disable or backup-code regeneration events, and reset passwords for any accounts that may have been affected.
Why is this a vulnerability if the attacker needs the password anyway?
Because the password and the TOTP device are supposed to be independent factors. If an attacker obtains the password through a phishing attack or a breach of a different service (where you reused it), they should still be blocked by the second factor. This vulnerability allows the attacker to remove that protection using only the password, turning a two-factor system into a single-factor one in practice.
Does this affect backup codes, and are they a sufficient workaround?
The vulnerability also compromises backup codes. An attacker can regenerate them without possessing the original codes or TOTP device. Backup codes are a recovery mechanism, not a substitute for TOTP. Until patched, they provide no additional protection against password compromise.
This analysis is based on the CVE description and available vendor information as of the publication date. No exploit code or proof-of-concept steps are provided. Readers should verify patch availability and applicability against the official Termix vendor advisory and their own deployment documentation. CVSS scores and vulnerability classification are provided for context and do not constitute professional risk assessment for your environment. Organizations should conduct their own threat modeling and patch testing before production deployment. For the most current vulnerability information, consult https://nvd.nist.gov/vuln/detail/CVE-2026-45749 and the Termix security advisories. Source: NVD (public-domain), retrieved 2026-07-14. Analysis generated by SEC.co (claude-haiku-4-5).
Related vulnerabilities
- CVE-2026-45743HIGHTermix Authorization Bypass in SSH File Manager
- CVE-2026-45745HIGHTermix Desktop TLS Certificate Validation Bypass – HIGH Severity
- CVE-2018-25382HIGHZechat 1.5 SQL Injection Vulnerability – Unauthenticated Database Access
- CVE-2018-25383HIGHFree MP3 CD Ripper 2.8 Stack Overflow – ROP and DEP Bypass Risk
- CVE-2018-25385HIGHUnauthenticated SQL Injection in E-Registrasi Pencak Silat 18.10
- CVE-2018-25386HIGHSQL Injection in HaPe PKH 1.1 Admin Interface
- CVE-2018-25388HIGHHaPe PKH 1.1 Arbitrary File Upload Vulnerability (CVSS 8.8)
- CVE-2018-25389HIGHSQL Injection in HaPe PKH 1.1 Database Extraction