A command injection vulnerability in Electerm prior to version 3.3.8 allows attackers to execute arbitrary code, posing a critical security risk to user systems.

The runMac() function fails to validate the releaseInfo.name variable before passing it to the exec() function, allowing for arbitrary command injection.

With a CVSS score of 9.8, this vulnerability allows for full system compromise on affected machines. An attacker successfully exploiting this can execute arbitrary code with the privileges of the user running the application, leading to complete data theft or malware installation.

Immediate Action: Upgrade to Electerm version 3.3.8 or later immediately.

Proactive Monitoring: Monitor for suspicious process creation or unexpected network connections originating from the Electerm application.

Compensating Controls: Avoid using the application with elevated privileges and ensure that the host OS is protected by robust endpoint detection and response (EDR) solutions.

Public Exploit Available: No

All users of Electerm must upgrade to version 3.3.8 immediately. The severity of the command injection flaw makes this a high-priority update for any security-conscious deployment.