CVE-2022-46387
Description
ConEmu through 220807 and Cmder before 1.3.21 report the title of the terminal, including control characters, which allows an attacker to change the title and then execute it as commands.
AI Insight
LLM-synthesized narrative grounded in this CVE's description and references.
ConEmu and Cmder terminal emulators allow command injection via crafted terminal title containing control characters.
Vulnerability
ConEmu through version 220807 and Cmder before version 1.3.21 report the terminal title including control characters. An attacker can craft a title that contains escape sequences or control characters that, when displayed, are interpreted as commands. This affects the terminal emulator's handling of title updates.
Exploitation
An attacker needs to be able to set the terminal title, for example by sending a crafted escape sequence to the terminal (e.g., via a malicious server or a crafted file). The terminal emulator then displays the title, and the control characters are executed as commands. No authentication is required if the attacker can influence the title.
Impact
Successful exploitation allows arbitrary command execution in the context of the user running the terminal. This can lead to full compromise of the user's system, including data theft, installation of malware, or further lateral movement.
Mitigation
Cmder version 1.3.21 (released 2022-12-19) includes an update to ConEmu that mitigates this vulnerability [1]. ConEmu users should upgrade to a version after 220807. No workaround is provided in the references.
AI Insight generated on May 25, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.
Affected products
2Patches
0No patches discovered yet.
Vulnerability mechanics
AI mechanics synthesis has not run for this CVE yet.
References
2News mentions
0No linked articles in our index yet.