PatchSiren cyber security CVE debrief
CVE-2026-45787 electerm CVE debrief
CVE-2026-45787 documents cryptographic weaknesses in electerm, an open-source terminal/SSH/SFTP client, affecting versions prior to 3.9.5. The vulnerability stems from deterministic AES-192-CBC encryption using a fixed zero initialization vector (IV), constant key derivation function (KDF) salt, and absence of message authentication code (MAC) protection for synchronized bookmark and profile data. These implementation flaws enable two distinct attack vectors: (1) attackers can crack common passwords across multiple installations due to predictable cryptographic parameters, and (2) adversaries can perform undetected ciphertext bit-flipping attacks to alter configuration data or bookmarks without knowledge of the encryption key. The CVSS 4.0 vector indicates network attack vector with high attack complexity, requiring prior access to encrypted data. The vulnerability was disclosed on 2026-05-28 with a fix released in electerm version 3.9.5. Multiple CWE classifications apply including CWE-326 (inadequate encryption strength), CWE-329 (use of non-random IV), CWE-353 (missing integrity check), CWE-759 (use of hard-coded credentials), and CWE-916 (use of password hash with insufficient computational effort).
- Vendor
- electerm
- Product
- Unknown
- CVSS
- MEDIUM 6
- CISA KEV
- Not listed in stored evidence
- Original CVE published
- 2026-05-28
- Original CVE updated
- 2026-05-29
- Advisory published
- 2026-05-28
- Advisory updated
- 2026-05-29
Who should care
Organizations using electerm for SSH/terminal access with synchronization enabled; security teams managing remote access tooling; developers evaluating terminal client cryptographic implementations; compliance officers assessing data protection for configuration synchronization
Technical summary
The electerm terminal client prior to version 3.9.5 implements custom encryption for synchronized data using AES-192-CBC with three critical flaws: (1) a hard-coded zero IV eliminates semantic security, causing identical plaintexts to produce identical ciphertexts; (2) a constant KDF salt removes per-installation randomization, allowing precomputation attacks and cross-installation password hash comparison; (3) absence of MAC or authenticated encryption permits undetected bit-flipping attacks where attackers can modify ciphertext to alter decrypted configuration without possessing the key. These weaknesses particularly impact bookmark and profile synchronization features where encrypted data may traverse untrusted channels or storage. The attack complexity is rated HIGH due to prerequisite access requirements, but successful exploitation yields high confidentiality impact and low integrity impact per CVSS 4.0 scoring. The vendor addressed all three issues in version 3.9.5.
Defensive priority
medium
Recommended defensive actions
- Upgrade electerm to version 3.9.5 or later to obtain corrected cryptographic implementation
- Audit existing synchronized bookmarks and profiles for unauthorized modifications if prior versions were used
- Review and rotate any passwords used for electerm synchronization that may have been weak or reused across installations
- Verify integrity of configuration backups created with vulnerable versions before restoration
- Monitor for anomalous bookmark or profile changes in electerm deployments
Evidence notes
Official CVE record published 2026-05-28. GitHub Security Advisory GHSA-g29v-q6h7-76wh and commit 9dd8295e37d53396b980cd45dfc5ed11ad79b937 confirm fix in electerm 3.9.5. CVSS 4.0 score 6.0 (MEDIUM). Not listed in CISA KEV catalog.
Official resources
2026-05-28