A critical command injection vulnerability in electerm allows attackers to execute arbitrary system commands by manipulating remote version data.

The runLinux() function in install.js improperly concatenates attacker-controlled remote version strings into a system rm -rf command. This lack of input validation allows for arbitrary command injection on the host system.

With a CVSS score of 9.8, this vulnerability allows for remote code execution with the privileges of the application. This could lead to a complete system compromise, including the deletion of files, installation of malware, or exfiltration of sensitive configuration data stored within the terminal client environment.

Immediate Action: Upgrade the electerm application to version 3.3.8 or later to resolve the unsafe command execution logic.

Proactive Monitoring: Monitor system logs for unauthorized file deletion attempts or unexpected child processes initiated by the electerm application.

Compensating Controls: Restrict the permissions of the user account running the terminal client to the minimum necessary level to contain the potential impact of an exploit.

Public Exploit Available: Unknown

Given the potential for full system compromise via command injection, organizations should prioritize updating electerm to version 3.3.8. Immediate remediation is necessary to prevent attackers from leveraging this vulnerability to gain control over local systems.