A critical command injection vulnerability in Termix allows authenticated users to achieve persistent remote code execution on the source SSH host.

The POST /ssh/tunnel/connect endpoint interpolates user-controlled host fields directly into shell commands without sufficient escaping. This allows an authenticated attacker to inject arbitrary commands that persist on the source SSH host.

With a CVSS score of 9.8, this flaw poses a catastrophic risk to the security of the management environment. The ability to inject persistent commands means that an attacker can establish long-term unauthorized access, potentially escalating privileges and compromising the integrity of the entire SSH tunnel infrastructure.

Immediate Action: Apply the update to Termix version 2.3.2 to resolve the command injection flaw.

Proactive Monitoring: Audit existing SSH tunnel configurations and host record fields for evidence of injected payloads or unauthorized modifications.

Compensating Controls: Employ network-level egress filtering to limit the impact of potential command execution and restrict access to the tunnel management interface.

Public Exploit Available: False

Given the potential for persistent command execution, immediate patching to version 2.3.2 is mandatory. Security teams should also perform a thorough audit of existing host records to ensure no malicious commands have already been injected into the system.