Electerm: Three Critical and Medium CVEs Disclosed — Weak Crypto and RCE via Imported Bookmarks

Key findings

• CVE-2026-45058: Critical RCE via imported bookmark JSON or compromised sync targets
• CVE-2026-45787: Weak deterministic AES-192-CBC with fixed zero IV and no MAC leaks synced credentials
• CVE-2026-45353: Critical unpatched flaw affecting versions 3.0.6 through 3.8.8
• All three CVEs fixed in Electerm 3.9.5 (CVE-2026-45353 fixed in 3.9.0)
• No workaround for the RCE — users must upgrade or avoid untrusted bookmark imports

Three security vulnerabilities in Electerm, the popular open-source terminal/SSH/SFTP/RDP/VNC client, were disclosed together on May 28, 2026. The batch includes two Critical-severity flaws and one Medium-severity cryptographic weakness, all affecting versions prior to the 3.9.x line. Electerm is widely used by developers and system administrators for managing remote connections, and the disclosed bugs put both local machine integrity and synced credential data at risk.

**Critical RCE via imported bookmarks (CVE-2026-45058)**

The most severe of the three, CVE-2026-45058 (Critical), allows persistent local-pty code execution through maliciously crafted imported bookmarks or compromised sync targets. In Electerm 3.8.8 and earlier, users who import bookmark JSON files or who have Electerm sync configured (via GitHub Gist or WebDAV) are vulnerable. An attacker who controls a sync target or tricks a user into importing a booby-trapped bookmark file can execute arbitrary commands on the victim's machine. Because the bookmark data is processed without sufficient sanitization, the payload persists across sessions, making this a particularly dangerous supply-chain-style attack vector.

**Weak deterministic encryption in sync data (CVE-2026-45787)**

CVE-2026-45787 (Medium) describes a fundamental cryptographic flaw in how Electerm protects synced bookmark and profile data. Prior to version 3.9.5, the application uses AES-192-CBC in deterministic mode with a fixed zero initialization vector (IV), a constant KDF salt, and no message authentication code (MAC). This combination means that an attacker who gains access to a user's synced data store (e.g., a compromised Gist or WebDAV endpoint) can crack common passwords offline and recover all stored credentials. Because the IV and salt are static across all installations, the same password produces identical ciphertexts, enabling cross-install correlation and significantly accelerating brute-force attacks.

**Unspecified critical flaw (CVE-2026-45353)**

CVE-2026-45353 (Critical) affects Electerm versions from 3.0.6 through 3.8.8. The description in the disclosure is minimal, but the severity rating of Critical and the fact that it was fixed in version 3.9.0 indicate a serious vulnerability. Users running any version in that range should treat this as an urgent upgrade target.

Patch status and affected versions

The Electerm project has responded with two patch releases. CVE-2026-45353 was fixed in Electerm 3.9.0. The remaining two vulnerabilities — CVE-2026-45058 (the RCE via bookmarks) and CVE-2026-45787 (the weak crypto) — are addressed in Electerm 3.9.5. Users are strongly advised to upgrade to at least 3.9.5 to cover all three CVEs. There are no known workarounds for the RCE flaw other than avoiding the import of untrusted bookmark files and disabling sync with untrusted endpoints.

Why this matters

Electerm occupies a sensitive position in the software supply chain: it manages credentials and remote connections for technical users. The combination of a cryptographic weakness that leaks synced secrets and a code-execution vector via bookmark import means that a single compromised sync target (such as a public Gist) could cascade into full host compromise. Users who rely on Electerm's sync feature should treat this batch as a high-priority update event and verify that their sync data is not already exposed.