CVE-2024-57061
Published: 19 March 2025
Description
Adversaries may exploit software vulnerabilities in client applications to execute code.
Security Summary
CVE-2024-57061 is a code injection vulnerability (CWE-94) affecting Termius versions 9.9.0 through 9.16.0, stemming from an insecure Electron Fuses configuration. This flaw enables arbitrary code execution within the Termius application, which is built using the Electron framework. The vulnerability received a CVSS v3.1 base score of 9.8 (AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H), highlighting its critical severity due to high confidentiality, integrity, and availability impacts.
A physically proximate attacker can exploit this vulnerability to execute arbitrary code on the target system running the affected Termius versions. Despite the CVSS vector indicating network accessibility without privileges or user interaction, the core issue requires physical proximity to leverage the misconfigured Electron Fuses for injection.
References detail exploitation techniques for Electron applications on macOS, a limited disclosure on the insufficient fuses in Termius, and official Electron documentation on implementing fuses for mitigation. These resources emphasize securing Electron Fuses configuration to prevent such code injection attacks, though no specific patches from Termius are referenced.
Details
- CWE(s)
MITRE ATT&CK Enterprise Techniques
Why these techniques?
The code injection vulnerability in the Termius Electron client application directly enables arbitrary code execution on the target system, mapping to exploitation for client execution.