OS Command Injection in Termix /ssh/tunnel/connect
CVE-2026-45748 is an OS command injection vulnerability in Termix, a web-based server management platform that provides SSH terminal, tunneling, and file editing functionality. In Termix versions prior to 2.3.2, the POST /ssh/tunnel/connect endpoint constructs an SSH tunnel command by directly interpolating user-controlled host record fields, specifically endpointIP, endpointUsername, and password, into a shell command without proper escaping or neutralization of shell metacharacters. Because these values are incorporated into a command executed on the source SSH host, an attacker can inject arbitrary operating system commands. The issue is described as persistent because the malicious payload can be stored in host record fields and later triggered when the tunnel connection workflow is invoked.
Are you exposed to this one?
Mallory correlates every CVE against your assets, your vendors, and active adversary campaigns. Know which vulnerabilities matter for you, not just which ones are loud.
Impact, mitigation & remediation
What it means. What to do now. Patch path, mitigations, and the assume-compromise checklist.
Impact
What an attacker gets, and what they’ve been doing with it.
AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H indicates critical remote impact with high effects across confidentiality, integrity, and availability.Mitigation
If you can’t patch tonight, do this now.
POST /ssh/tunnel/connect. Remove or sanitize existing host records containing shell metacharacters or unexpected values in endpointIP, endpointUsername, and password. Limit network exposure of the Termix interface, enforce strong authentication and least-privilege access, and run the Termix service with minimal OS privileges to reduce post-exploitation impact. Monitor for suspicious tunnel invocations and unexpected command execution on source SSH hosts.Remediation
Patch, then assume compromise.
POST /ssh/tunnel/connect endpoint. The fix should eliminate shell-based interpolation of untrusted host record fields and ensure that SSH tunnel parameters are passed safely without invoking a shell or with strict escaping and argument separation. Validate that all deployments are running the patched release and review stored host records for malicious values that may have been persisted prior to upgrade.Exploits
No public exploits tracked yet. Mallory keeps watching.
No public exploit code observed for this vulnerability.
Recent activity
6 sources tracked across advisories, community write-ups, and news. New activity surfaces here as Mallory finds it.
The version that knows your environment.
Query your assets running an affected version, and investigate the blast radius.
Every observed campaign linking this CVE to a named adversary.
Malware families riding this exploit, with evidence and IOCs.
YARA, Sigma, Snort, and vendor rules, auto-deployed to your SIEM.
Cross-references every affected SKU, including bundled OEM variants.
Community discussion across Reddit, Mastodon, and other social sources.