electerm RCE (CVE-2026-43943) via Malicious SFTP Filenames
The open-source client electerm, prior to version 3.7.9, is vulnerable to a critical code execution flaw (CVE-2026-43943). The National Vulnerability Database reports that this vulnerability resides in the SFTP “open with system editor” and “Edit with custom editor” features. The core issue is a lack of sanitization when passing filenames directly into command-line arguments.
Attackers can exploit this by crafting a malicious filename containing shell metacharacters. If a user subsequently attempts to edit such a file through electerm, the injected commands execute on their machine with the user’s privileges. This effectively grants the attacker arbitrary code execution, enabling malware installation or lateral movement within the network, according to the National Vulnerability Database. The CVSS score for this vulnerability is 7.8 (High).
This isn’t a theoretical issue; it’s a direct command injection. Attackers controlling an SSH server or a compromised user OS could easily leverage this. The fix is available in electerm version 3.7.9. Defenders need to prioritize patching and understand the implications of trusting file metadata, especially from external or untrusted sources.
What This Means For You
- If your organization uses electerm for SSH/SFTP connections, you are exposed. Immediately verify all electerm installations are updated to version 3.7.9 or later to mitigate CVE-2026-43943. Ensure users are aware of the risks associated with opening files from untrusted SFTP sources, as this vulnerability relies on user interaction.
Related ATT&CK Techniques
🛡️ Detection Rules
6 rules · 6 SIEM formats6 detection rules auto-generated for this incident, mapped to MITRE ATT&CK. Sigma YAML is free — export to any SIEM format via the Intel Bot.
Suspicious File Download via Email
title: Suspicious File Download via Email
id: scw-2026-05-08-1
status: experimental
level: medium
description: |
Detects execution of suspicious processes spawned from email clients, potentially triggered by a phishing attachment.
author: SCW Feed Engine (auto-generated)
date: 2026-05-08
references:
- https://shimiscyberworld.com/posts/nvd-CVE-2026-43943/
tags:
- attack.execution
- attack.t1204.002
logsource:
category: process_creation
product: windows
detection:
selection:
ParentImage|endswith:
- '\outlook.exe'
- '\thunderbird.exe'
Image|endswith:
- '\cmd.exe'
- '\powershell.exe'
- '\wscript.exe'
- '\cscript.exe'
condition: selection
falsepositives:
- Legitimate activity from CVE-2026-43943
Source: Shimi's Cyber World · License & reuse
Indicators of Compromise
| ID | Type | Indicator |
|---|---|---|
| CVE-2026-43943 | RCE | electerm < 3.7.9 |
| CVE-2026-43943 | RCE | SFTP 'open with system editor' or 'Edit with custom editor' feature |
| CVE-2026-43943 | Code Injection | Unsanitized filename passed to command line with shell metacharacters |
Written by SCW Vulnerability Desk
Source & Attribution
| Source Platform | NVD |
| Channel | National Vulnerability Database |
| Published | May 08, 2026 at 07:16 UTC |
This content was AI-rewritten and enriched by Shimi's Cyber World based on the original source. All intellectual property rights remain with the original author.
Believe this infringes your rights? Submit a takedown request.
Related coverage
CVE-2026-6667 — PgBouncer before 1.25.2 did not perform an appropriate
CVE-2026-6667 — PgBouncer before 1.25.2 did not perform an appropriate authorization check for the KILL_CLIENT admin command. All users with access to the administration console...
CVE-2026-6666 — A possible null pointer reference in PgBouncer before
CVE-2026-6666 — A possible null pointer reference in PgBouncer before 1.25.2 could lead to a crash, if a server sends an error response without SQLSTATE...
PgBouncer SCRAM Vulnerability (CVE-2026-6665) Allows Stack Overflow
CVE-2026-6665 — The SCRAM code in PgBouncer before 1.25.2 did not check the return value of strlcat() correctly when building the contents of the SCRAM...