[CVE-2024–57061] Termius — Insufficient Electron Fuses Configuration (Limited Disclosure)

Introduction

Improper Control of Generation of Code (‘Code Injection’) in Electron Fuses in Termius version 9.9.0–9.16.0 on macOS allows attackers to execute arbitrary code via insecure Electron Fuses configuration.

Description of Vulnerability

1. Title: Termius — Insufficient Electron Fuses Configuration
2. Product: Termius
3. Version: 9.9.0–9.16.0 (Latest version on 18 March 2025)
4. CVE Assigned: CVE-2024–57061
5. Fixing Patch: No fixing patch right now.
6. Homepage: https://termius.com/

Testing Environment

OS: MacOS 15.1.1 (24B91)

Tested Version: Termius Version 9.9.0 (9.9.0) and 9.16.0 (9.16.0)

Researcher

Kusol Watchara-Apanukorn

Proof of Concept

1. Found the misconfiguration that could lead to code injection.

Note: This is just limited disclosure. If the Termius don’t ping me back before May 2025, I’ll update the full disclosure on this article.

Timeline (Last updated 20/03/2025)

11 Dec 2024 — Found vulnerability and reported to Termius (no response)

16 Dec 2024 — Notice to Termius again (no response)

27 Jan 2025 — Notice the public disclosure deadline to the Termius (non response)

18 Mar 2025 — Limited Disclosure

19 Mar 2025 — CVE status changed from RESERVED to PUBLISHED