HighPublic exploit

MFA bypass in Termix TOTP disable and backup code endpoints

IdentifiersCVE-2026-45749CWE-308· Use of Single-factor Authentication

CVE-2026-45749 affects Termix, a web-based server management platform with SSH terminal, tunneling, and file editing capabilities. In versions prior to 2.3.2, the POST /users/totp/disable and POST /users/totp/backup-codes endpoints permitted MFA-sensitive account operations using only the account password as authentication. As a result, an attacker who has obtained valid user credentials could disable TOTP protection entirely or regenerate backup codes without possessing the enrolled TOTP device and without supplying a valid TOTP code. This is an authentication design flaw affecting MFA-critical workflows and effectively defeats the intended second factor for those operations.

For your environment

Are you exposed to this one?

Mallory correlates every CVE against your assets, your vendors, and active adversary campaigns. Know which vulnerabilities matter for you, not just which ones are loud.

Start free trial

ANALYST BRIEF

Impact, mitigation & remediation

What it means. What to do now. Patch path, mitigations, and the assume-compromise checklist.

Impact

What an attacker gets, and what they’ve been doing with it.

Successful exploitation allows an attacker with a compromised password to neutralize or circumvent MFA protections on the targeted Termix account. Specifically, the attacker can disable TOTP or generate fresh backup codes, enabling continued authenticated access without the legitimate user's second factor. This materially increases the likelihood of account takeover and unauthorized access to the platform's server management functionality, with resulting confidentiality and integrity impact on managed systems and data. The provided context indicates no direct availability impact.

Mitigation

If you can’t patch tonight, do this now.

If immediate upgrade is not possible, restrict access to the affected Termix instance, closely monitor for requests to POST /users/totp/disable and POST /users/totp/backup-codes, and alert on unexpected MFA changes. Force password resets for potentially exposed accounts, especially where phishing, credential stuffing, or password-hash exposure is suspected. Review and revoke regenerated backup codes where possible. These measures reduce exposure but do not fully remediate the underlying flaw.

Remediation

Patch, then assume compromise.

Upgrade Termix to version 2.3.2 or later, which patches the vulnerable MFA workflows. Ensure that all MFA-critical operations, including TOTP disablement and backup code regeneration, require verification with the enrolled second factor or an equivalently strong re-authentication mechanism rather than password-only confirmation.

PUBLIC EXPLOITS

Exploits

No public exploits tracked yet. Mallory keeps watching.

VALID 0 / 0 TOTALView more in app

No public exploit code observed for this vulnerability.

EXPOSURE SURFACE

Affected products & vendors

Products and vendors Mallory has correlated with this vulnerability. Open in Mallory to drill down to specific CPE configurations and version ranges.

VendorProductType

TermixTermixapplication

Vendor-confirmed product mapping. Mallory continuously reconciles this list against your asset inventory.

ACTIVITY FEED

Recent activity

6 sources tracked across advisories, community write-ups, and news. New activity surfaces here as Mallory finds it.

6 SOURCESView more in app

cvefeed high severityNews

Jun 5, 2026

CVE-2026-45749 - Termix's TOTP two-factor authentication can be disabled or bypassed using only the account password

An improper authentication vulnerability in Termix prior to version 2.3.2 allows MFA-critical operations, including disabling TOTP or regenerating backup codes, using only the account password, undermining two-factor authentication.

What this page doesn’t show

The version that knows your environment.

This page is what’s public. Mallory adds the parts that aren’t: which of your assets are affected, which adversaries are exploiting it right now, which detections to deploy, and what to do tonight.

Start free trial

Exposure mapping

Query your assets running an affected version, and investigate the blast radius.

Threat actor evidence

Every observed campaign linking this CVE to a named adversary.

Associated malware

Malware families riding this exploit, with evidence and IOCs.

Detection signatures

YARA, Sigma, Snort, and vendor rules, auto-deployed to your SIEM.

Vendor-by-vendor mapping

Cross-references every affected SKU, including bundled OEM variants.

Social activity5

Community discussion across Reddit, Mastodon, and other social sources.

EXTERNAL REFERENCES

MITRE CVE

cve.org · CVE-2026-45749

NVD

nvd.nist.gov/vuln/detail/CVE-2026-45749

MITRE CWE · CWE-308

Use of Single-factor Authentication

Vendor Advisory

github.com/Termix-SSH/Termix/security/advisories/GHSA-wqfw-rqj7-fv9m

Release Notes

github.com/Termix-SSH/Termix/releases/tag/release-2.3.2-tag