CVE-2026-45787

Summary

electerm is an open-sourced terminal/ssh/sftp/telnet/serialport/RDP/VNC/Spice/ftp client. Prior to 3.9.5, deterministic AES-192-CBC with a fixed zero IV, constant KDF salt, and no MAC leads to confidentiality and integrity failures for synced bookmark/profile data. Attackers can crack common passwords across installs and perform undetected ciphertext bit-flips to alter config/bookmarks. This vulnerability is fixed in 3.9.5.

Affected Software

VendorProductVersion RangeStatus
electermelecterm< 3.9.5affected

Weaknesses

  • CWE-326: CWE-326: Inadequate Encryption Strength
  • CWE-329: CWE-329: Generation of Predictable IV with CBC Mode
  • CWE-353: CWE-353: Missing Support for Integrity Check
  • CWE-759: CWE-759: Use of a One-Way Hash without a Salt
  • CWE-916: CWE-916: Use of Password Hash With Insufficient Computational Effort

ADP Enrichment

CISA ADP Vulnrichment

  • SSVC:
  • Exploitation: none
    • Automatable: no
    • Technical Impact: partial

References