CVE-2026-45749
HighCVSS 8.1Summary
Termix is a server management platform that prior to version 2.3.2 accepted the account password as the sole authentication factor for MFA-critical operations. An attacker who obtains a user's password can completely disable TOTP or regenerate backup codes, rendering two-factor authentication ineffective.
Risk Assessment
The organization is at risk of account takeover, which can lead to unauthorized access to sensitive data and systems. The loss of effectiveness of two-factor authentication increases the risk of phishing attacks and identity theft.
Recommendation
It is recommended to update Termix to version 2.3.2 or later to mitigate this vulnerability. Additionally, implementing further protective measures such as login monitoring and user education on password security is advisable.
Original NVD description (English source)
Termix is a web-based server management platform with SSH terminal, tunneling, and file editing capabilities. The `POST /users/totp/disable` and `POST /users/totp/backup-codes` endpoints in Termix prior to version 2.3.2 accept the account password as a sole authentication factor for MFA-critical operations. An attacker who obtains a user's password (phishing, credential stuffing, the passwordHash leak in GHSA-xxxx) can disable TOTP entirely or regenerate backup codes, without ever possessing the TOTP device or knowing a valid TOTP code. This renders two-factor authentication ineffective. Version 2.3.2 patches the issue.

