← Back to Feed CACHED · 2026-05-17 09:42:19 · cache_key CVE-2025-29912
CVE-2026-45750 · CWE-78 · Disclosed 2026-06-05

Termix is a web-based server management platform with SSH terminal

ASSESSED — NOISGATE V0.5
Vendor
Reassessed
Verdict:
01 · The Real Story

This is a loaded admin console, not a drive-by worm

For the exact ID CVE-2026-45750, I could not corroborate a public NVD/GHSA advisory with affected version ranges or a fixed build in accessible sources as of 2026-06-05. Using your supplied intel only, the best-fit read is: Termix has a CWE-78 command injection path that is reachable over the web, but the vendor's own CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:H/I:H/A:H says the attacker still needs a valid low-privilege account and a user interaction event.

That matters. Termix is a sensitive orchestration plane for SSH sessions, tunnels, file editing, and stored credentials, so impact can be ugly once an attacker is in. But PR:L + UI:R is not 'internet-to-root in one HTTP request'; it is a narrowed, post-initial-access path inside an admin workflow. Vendor CRITICAL 9.0 reads inflated for enterprise prioritization unless fresh evidence appears showing broad public exposure, easy weaponization, or active exploitation.

"This is not an internet one-shot; it looks like a post-auth, user-assisted command injection in a credential hub."
02 · The Attack Path

4 steps from start to impact.

STEP 01

Get into a Termix account

The attacker first needs a working Termix identity or API-backed session with at least low privileges. That is already a meaningful foothold because Termix is an access broker for downstream infrastructure, not a low-value portal. Tooling is mundane here: stolen credentials, session theft, password spraying against a weak local account, or abuse of an exposed shared user.
Conditions required:
  • Attacker can reach the Termix web interface
  • A valid low-privilege Termix account or session is obtained
  • Termix is actually deployed in the environment
Where this breaks in practice:
  • MFA/OIDC/RBAC can block the easiest paths
  • Many Termix deployments are homelab or niche self-hosted installs, not mass enterprise fleet software
  • Internal-only exposure sharply reduces reachable population
Detection/coverage: Identity telemetry, reverse-proxy logs, and IdP alerts should catch abnormal logins; scanner coverage for this exact CVE is likely poor until a public advisory lands.
STEP 02

Stage a malicious command-bearing object

Because the supplied vector includes UI:R, the exploit likely needs the victim to load, click, import, preview, or execute attacker-controlled content inside the Termix UI. In practice that means weaponizing a filename, archive name, saved host attribute, snippet, tunnel setting, or another field that eventually hits a shell-sensitive code path. The delivery tool is just the browser plus crafted input; no advanced exploit kit required.
Conditions required:
  • The vulnerable feature is enabled and reachable by the attacker's role
  • The attacker can place or influence content another user will open
  • The vulnerable code path is still present in the installed release
Where this breaks in practice:
  • User interaction is mandatory per the vendor vector
  • Role separation may keep low-privilege users away from the affected workflow
  • Modern UIs often validate or normalize dangerous characters before server-side handling
Detection/coverage: Very little signature coverage for an unpublished/uncorroborated CVE. Web logs may still show suspicious metacharacters, odd filenames, or anomalous POST bodies.
STEP 03

Trigger command injection in the backend workflow

Once the victim performs the needed action, the payload is interpreted by a shell-sensitive backend operation and executes with the privileges of the Termix service or a spawned helper context. In Termix, that matters because the product already brokers SSH, tunnels, file operations, and potentially saved credentials to downstream hosts. The likely weapon is the application's own backend command execution path, not a memory-corruption chain.
Conditions required:
  • Victim performs the required UI action
  • Server-side code passes attacker-controlled data into a command context
  • No compensating input validation or escaping blocks the payload
Where this breaks in practice:
  • Service-account privileges on the Termix host may be constrained
  • Containerization can limit host-level blast radius
  • The bug may execute only in a narrow feature path instead of every request
Detection/coverage: EDR on the Termix host can catch unusual child processes from node, npm, bash, sh, or helper binaries. Without host telemetry, web-only detection is weak.
STEP 04

Pivot from Termix into managed infrastructure

The real risk is not the first command; it is what sits behind Termix. If the service can reach many SSH targets, has cached secrets, or exposes shared admin workflows, a successful injection can become credential theft, session hijack, or command execution against downstream servers. This is the main amplifier keeping the finding out of LOW.
Conditions required:
  • Termix stores credentials or can broker sessions to valuable hosts
  • The compromised account or service has access to shared infrastructure objects
  • Network paths from Termix to managed systems are open
Where this breaks in practice:
  • RBAC and per-user isolation can limit downstream reach
  • Some deployments use keys without broad reuse or require additional host verification
  • Lateral movement still depends on what Termix was configured to manage
Detection/coverage: Watch for abnormal SSH launches, new host access patterns, mass file operations, or tunnel creation from the Termix node. Existing EDR/NDR should have decent coverage once activity leaves the web tier.
03 · Intelligence Metadata

The supporting signals.

Public record statusI could not corroborate a public NVD/CVE/GHSA record for CVE-2026-45750 in accessible sources as of 2026-06-05. This assessment therefore leans on your supplied metadata plus Termix product architecture and adjacent published advisories.
In-the-wild statusNo public evidence found in the sources reviewed. CISA KEV does not list this ID.
Proof-of-concept availabilityNo public PoC found for this exact ID in the reviewed sources. That is a meaningful downgrade from vendor panic mode.
EPSS0.00038 from your intel block; that is extremely low and consistent with weak public exploit momentum.
KEV statusNot KEV-listed per your intel block and corroborated against the authoritative KEV catalog.
CVSS vectorCVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:H/I:H/A:H from your intel block. Translation: remote, easy path once inside, but still authenticated and user-assisted.
Affected versionsUnknown publicly for this exact CVE as of 2026-06-05. No authoritative affected range was located in accessible advisory sources.
Fixed versionUnknown publicly for this exact CVE as of 2026-06-05. No authoritative patched build was located in accessible advisory sources.
Exposure realityTermix is a self-hosted admin plane for SSH/RDP/VNC/tunnels and file management, so exposure is deployment-driven, not universal SaaS scale. Public internet reach is likely far smaller than mainstream enterprise perimeter software, which pushes severity down.
Adjacent published signalA nearby, publicly confirmed Termix command-injection issue exists in CVE-2026-42453, fixed in 2.1.0. I am not claiming the IDs are the same; I am using it only as context that command-execution bugs in Termix tend to land in feature-specific workflows rather than universal pre-auth exposure.
04 · The Call

noisgate verdict.

Final Verdict
DOWNGRADED to MEDIUM (5.9/10)

The decisive factor is attack-path friction: the vendor vector itself says this requires authenticated remote access plus user interaction, which makes it a post-initial-access bug in a narrow workflow rather than an internet-scale wormable event. The impact can be severe inside a live Termix deployment, but the reachable population and exploit chain are both materially smaller than a true CRITICAL should imply.

HIGH The vendor's **CRITICAL 9.0** is too high for a **PR:L + UI:R** attack path
MEDIUM Overall severity bucket **MEDIUM** given product role and downstream blast radius
LOW Exact vulnerable versions and fixed release for **CVE-2026-45750** because no public record was corroborated

Why this verdict

  • Downgrade for attacker position: PR:L means the attacker already has a foothold inside Termix. That is post-initial-access, not perimeter break-in.
  • Downgrade for user interaction: UI:R compounds the friction. Someone has to open, click, import, preview, or otherwise trigger the bad path.
  • Downgrade for exposure population: Termix is self-hosted niche admin software, not a ubiquitous internet-facing enterprise stack. The real-world reachable base is narrower.
  • Hold at MEDIUM for blast radius: Termix is a credential-rich broker to downstream hosts. If the chain lands, the impact can jump beyond the web app into SSH-managed infrastructure.
  • Downgrade for threat-intel silence: no KEV listing, no public exploitation evidence, no public PoC found, and the supplied EPSS is extremely low.

Why not higher?

I am not taking this to HIGH or CRITICAL because the chain appears to require both an existing authenticated position and a victim action. That is exactly the kind of compounded friction that breaks mass exploitation economics. Also, I could not corroborate public exploit material or an authoritative advisory for this exact ID.

Why not lower?

I am not dropping this to LOW because Termix is not just another dashboard; it is an access concentrator for SSH sessions, tunnels, and possibly stored credentials. A command-injection flaw inside that control plane can punch far above its initial foothold once triggered. Even with path friction, the downstream blast radius is real.

05 · Compensating Control

What to do — in priority order.

  1. Restrict Termix to trusted networks — Put the web UI behind VPN, bastion access, or an identity-aware proxy and remove broad internet exposure where possible. For a MEDIUM verdict there is no mitigation SLA, but this is the best immediate risk reducer while you validate whether your deployment is affected and should still be completed within your normal hardening cycle.
  2. Tighten RBAC and shared-object access — Reduce who can create or modify hosts, snippets, tunnels, file operations, and import/export workflows. This directly attacks the PR:L prerequisite by making low-privilege accounts materially less useful; for MEDIUM, there is no mitigation SLA — go straight to the 365-day remediation window, but apply this sooner if Termix is broadly shared.
  3. Force SSO plus MFA for all human access — Move local accounts to IdP-backed auth where possible and require MFA on every administrative user. This helps prevent the initial authenticated foothold that the exploit path appears to require.
  4. Watch the Termix host like a jump box — Put EDR and process telemetry on the Termix server or container host, and alert on unusual child processes from the app runtime, mass SSH activity, or unexpected shell invocations. This is how you catch the post-trigger phase when web-layer detection is weak.
  5. Segment Termix from crown-jewel servers — Review which downstream hosts Termix can actually reach and trim network paths and stored credentials to the minimum set required. That limits the blast radius if the command execution lands.
What doesn't work
  • A generic perimeter WAF is not a dependable answer here, because the bug appears to sit behind authentication and likely inside a feature-specific workflow.
  • Simple version-based scanner signatures will not help much until an authoritative public advisory and affected ranges exist for this exact ID.
  • Relying on 'it's only a low-privilege user' is false comfort; in a control plane like Termix, low privilege can still be enough to stage payloads for higher-value users.
06 · Verification

Crowdsourced verification payload.

Run this on the Termix server or Docker host, not from an auditor workstation. Invoke it as bash termix_cve_2026_45750_check.sh with normal shell access; sudo is only needed if Docker requires elevation. Because no authoritative public affected/fixed version range for CVE-2026-45750 was corroborated, the script is intentionally conservative and will output UNKNOWN unless Termix is absent.

noisgate-verify.sh
BASHREAD-ONLYSAFE
#!/usr/bin/env bash
# termix_cve_2026_45750_check.sh
# Purpose: discover whether Termix is present and collect version context for CVE-2026-45750.
# Limitation: no authoritative public affected/fixed version range was corroborated as of 2026-06-05.
# Output: VULNERABLE / PATCHED / UNKNOWN
# Exit codes: 0 PATCHED, 1 VULNERABLE, 2 UNKNOWN

set -u

found=0
version=""
source_hint=""

have_cmd() {
  command -v "$1" >/dev/null 2>&1
}

# Try Docker container metadata first
if have_cmd docker; then
  if docker ps --format '{{.Image}} {{.Names}}' 2>/dev/null | grep -qi 'termix'; then
    found=1
    source_hint="docker-running"
    # Best-effort image tag extraction
    version=$(docker ps --format '{{.Image}}' 2>/dev/null | grep -i 'termix' | head -n1 | sed 's/.*://')
  elif docker ps -a --format '{{.Image}} {{.Names}}' 2>/dev/null | grep -qi 'termix'; then
    found=1
    source_hint="docker-stopped"
    version=$(docker ps -a --format '{{.Image}}' 2>/dev/null | grep -i 'termix' | head -n1 | sed 's/.*://')
  fi
fi

# Try common install paths if Docker did not reveal anything
if [ "$found" -eq 0 ]; then
  for f in \
    /app/package.json \
    /opt/termix/package.json \
    /usr/local/share/termix/package.json \
    /var/lib/docker/volumes/termix-data/_data/package.json
  do
    if [ -f "$f" ]; then
      found=1
      source_hint="$f"
      version=$(grep -E '"version"' "$f" 2>/dev/null | head -n1 | sed -E 's/.*"version"[[:space:]]*:[[:space:]]*"([^"]+)".*/\1/')
      break
    fi
  done
fi

# Fallback: look for running process hints
if [ "$found" -eq 0 ] && have_cmd ps; then
  if ps aux 2>/dev/null | grep -i '[t]ermix' >/dev/null 2>&1; then
    found=1
    source_hint="process-scan"
  fi
fi

if [ "$found" -eq 0 ]; then
  echo "PATCHED"
  exit 0
fi

# No authoritative public fixed version for the exact CVE => conservative result.
# We intentionally do not guess vulnerability state from version strings.
printf 'UNKNOWN\n' >&1
{
  echo "detail: Termix detected"
  echo "source: ${source_hint:-unknown}"
  echo "version: ${version:-unknown}"
  echo "note: No corroborated public affected/fixed version range for CVE-2026-45750 as of 2026-06-05."
} >&2
exit 2
07 · Bottom Line

If you remember one thing.

TL;DR
Monday morning, treat this as a credential-hub bug with real blast radius but meaningful exploitation friction. Start by inventorying every Termix deployment, confirming whether any are internet-reachable, and trimming access with SSO/MFA/RBAC and network restriction where exposure is broader than intended. Because this lands at MEDIUM, there is noisgate mitigation SLA here — no mitigation SLA — go straight to the 365-day remediation window — but if the vendor publishes a confirmed fixed release for CVE-2026-45750, move those instances into your noisgate remediation SLA of ≤365 days; if you independently confirm public exploitation or KEV status later, reclassify and act immediately within hours.

Sources

  1. Termix repository
  2. Termix product site
  3. Termix releases
  4. NVD: CVE-2026-42453 (adjacent public Termix command injection)
  5. GitHub advisory: Termix Docker auth bypass CVE-2025-59951
  6. CISA Known Exploited Vulnerabilities Catalog
  7. Termix organization overview
Peer Review

What defenders are saying.

Submit a review attribution: handle + country only
0 flags selected · stored anonymously
Validation Results

Crowdsourced verification outputs.

Results submitted by users who ran the verification payload against their environment.