[CVE-2024–57061] Termius — Insufficient Electron Fuses Configuration (Public Disclosure)

Introduction

Improper Control of Generation of Code (‘Code Injection’) in Electron Fuses in Termius version 9.9.0–9.17.1 on macOS allows attackers to execute arbitrary code via insecure Electron Fuses configuration.

Description of Vulnerability

1. Title: Termius — Insufficient Electron Fuses Configuration
2. Product: Termius
3. Version: 9.9.0–9.17.1 (Latest version on 01April 2025)
4. CVE Assigned: CVE-2024–57061
5. Fixing Patch: No fixing patch right now.
6. Homepage: https://termius.com/

Testing Environment

OS: MacOS 15.1.1 (24B91)

Tested Version: Termius Version 9.9.0 (9.9.0) and 9.17.1 (9.17.1)

Researcher

Kusol Watchara-Apanukorn

Proof of Concept

1. Found the misconfiguration that could lead to code injection.

2. Injected the malicious code. In this case, I used electroniz3r to help me inject the backdoor code easily.

3. Code has been injected.

4. In the real world scenario, the threat actor will have same permission that Termius got (In the example, my Termius has local network access permission).

Timeline (Last updated 01 April 2025)

11 Dec 2024 — Found vulnerability and reported to Termius (no response)

16 Dec 2024 — Notice to Termius again (no response)

27 Jan 2025 — Notice the public disclosure deadline to the Termius (non response)

18 Mar 2025 — Limited Disclosure

19 Mar 2025 — CVE status changed from RESERVED to PUBLISHED

1 April 2025 — Full disclosure (no response from Termius)

References

CVE - CVE-2024-57061

NVD

GitHub - r3ggi/electroniz3r: Take over macOS Electron apps' TCC permissions