PatchSiren cyber security CVE debrief
CVE-2026-45353 electerm CVE debrief
A critical vulnerability in electerm, an open-source terminal/SSH/SFTP client, affects versions 3.0.6 through 3.8.8. The vulnerability involves code injection weaknesses (CWE-94, CWE-732, CWE-940) that could allow an attacker with local access and low privileges to achieve complete compromise of confidentiality, integrity, and availability on the affected system. The CVSS 4.0 vector indicates local attack vector with low attack complexity, requiring low privileges but no user interaction. The vendor has released version 3.9.0 to address this issue. Organizations using affected versions should prioritize upgrading to 3.9.0 or later, as this vulnerability poses significant risk given the privileged nature of terminal/SSH clients and their access to sensitive systems and credentials.
- Vendor
- electerm
- Product
- Unknown
- CVSS
- CRITICAL 9.3
- CISA KEV
- Not listed in stored evidence
- Original CVE published
- 2026-05-28
- Original CVE updated
- 2026-05-29
- Advisory published
- 2026-05-28
- Advisory updated
- 2026-05-29
Who should care
Organizations and individuals using electerm as their terminal/SSH client, particularly system administrators, DevOps engineers, and security professionals who rely on electerm for remote server management. This vulnerability is especially critical for environments where electerm is deployed on shared or multi-user systems, or where it stores SSH keys and credentials for production infrastructure access.
Technical summary
electerm versions 3.0.6 through 3.8.8 contain critical code injection vulnerabilities classified under CWE-94, CWE-732, and CWE-940. The CVSS 4.0 vector (AV:L/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:H/SC:H/SI:H/SA:H) indicates a local attack vector with low complexity, requiring low privileges but no user interaction, resulting in complete compromise of system confidentiality, integrity, and availability. The vulnerability stems from improper control of code generation, incorrect permission assignments, and improper verification of communication sources. Given electerm's function as a terminal/SSH/SFTP client with privileged access to remote systems, exploitation could expose sensitive credentials and provide attackers with unauthorized access to critical infrastructure. The vendor patched this vulnerability in version 3.9.0 via commit 0599e67069b00e376a2e962649aaad6096e63507.
Defensive priority
critical
Recommended defensive actions
- Upgrade electerm to version 3.9.0 or later immediately
- Review and audit any systems where electerm was used with versions 3.0.6 through 3.8.8 for signs of compromise
- Consider rotating SSH keys and credentials that may have been exposed through affected electerm installations
- Implement application whitelisting and least-privilege principles to limit exposure of terminal clients
- Monitor for unusual process execution or code injection attempts on endpoints running electerm
Evidence notes
Vulnerability affects electerm versions 3.0.6 to 3.8.8; fixed in 3.9.0. CVSS 4.0 score of 9.3 (CRITICAL) with local attack vector. Weaknesses include CWE-94 (Improper Control of Generation of Code), CWE-732 (Incorrect Permission Assignment for Critical Resource), and CWE-940 (Improper Verification of Source of a Communication Channel).
Official resources
2026-05-28