cbcvebase.
CVE-2026-45749
published 2026-06-05

CVE-2026-45749: Termix is a web-based server management platform with SSH terminal, tunneling, and file editing capabilities. The `POST /users/totp/disable` and `POST…

PriorityP359high8.1CVSS 3.1
AVNACLPRLUINSUCHIHAN
EPSS
0.32%
24.2th percentile
Termix is a web-based server management platform with SSH terminal, tunneling, and file editing capabilities. The `POST /users/totp/disable` and `POST /users/totp/backup-codes` endpoints in Termix prior to version 2.3.2 accept the account password as a sole authentication factor for MFA-critical operations. An attacker who obtains a user's password (phishing, credential stuffing, the passwordHash leak in GHSA-xxxx) can disable TOTP entirely or regenerate backup codes, without ever possessing the TOTP device or knowing a valid TOTP code. This renders two-factor authentication ineffective. Version 2.3.2 patches the issue.

Affected

2 ranges
VendorProductVersion rangeFixed in
termix-sshtermix< 2.3.22.3.2
termixtermix>= 2.1.0 < 2.3.22.3.2
Stop checking back — get the weekly exploitation signal.

Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.