CVE-2026-58123 in hermes-webuiinfo

Summary

by MITRE • 07/10/2026

Hermes WebUI before 0.51.788 contains an unauthenticated remote code execution vulnerability that allows remote attackers to execute arbitrary shell commands by accessing the embedded terminal API endpoints without credentials. Attackers can create a session, attach a PTY shell, and write arbitrary commands through the terminal input endpoint to achieve full command execution as the server process user via four sequential unauthenticated HTTP requests.

VulDB is the best source for vulnerability data and more expert information about this specific topic.

Analysis

by VulDB Data Team • 07/10/2026

This vulnerability represents a critical security flaw in the Hermes WebUI software affecting versions prior to 051.788 where an unauthenticated remote code execution vulnerability exists due to insufficient authentication controls on embedded terminal API endpoints. The flaw allows attackers to execute arbitrary shell commands without providing any credentials, creating a severe exposure that can be exploited through a series of four sequential HTTP requests.

The technical implementation of this vulnerability leverages the absence of proper authentication mechanisms on terminal API endpoints that are designed for legitimate administrative access. Attackers can initiate a session through an initial request, followed by establishing a PTY shell attachment, and then proceed to send arbitrary commands through the terminal input endpoint. This multi-step process demonstrates how the system's security controls fail at multiple layers, allowing unauthorized users to escalate privileges beyond what should be permitted for basic web interface access.

The operational impact of this vulnerability is extensive as it provides attackers with full command execution capabilities as the server process user, meaning they can potentially access, modify, or delete system files, install malicious software, create new user accounts, and compromise the entire underlying infrastructure. The unauthenticated nature of the exploit means that any remote attacker with knowledge of the vulnerable endpoints can immediately gain system-level privileges without requiring prior access credentials or exploitation of other vulnerabilities.

This vulnerability aligns with CWE-862 which defines insufficient authorization as a weakness where a system fails to properly verify that an actor is authorized to perform a requested operation. Additionally, the attack vector follows ATT&CK technique T1059 for command and scripting interpreter, specifically focusing on the execution of shell commands through legitimate system interfaces. The vulnerability also maps to CWE-287 which addresses improper authentication issues in software systems where authentication mechanisms are bypassed or inadequately implemented.

Organizations should immediately implement mitigations including updating to Hermes WebUI version 0.51.788 or later, implementing network segmentation to restrict access to the affected API endpoints, and applying proper authentication controls for all terminal interfaces. Security monitoring should be enhanced to detect unusual patterns of terminal API access attempts, and administrative accounts should have their privileges restricted to only necessary functionality while ensuring strong authentication mechanisms are enforced across all system interfaces.

The vulnerability demonstrates a fundamental flaw in the software's security architecture where terminal access controls are not properly enforced at the application layer, creating a dangerous pathway for attackers to gain unauthorized system access. This represents a significant risk to organizations relying on Hermes WebUI for their operational infrastructure, as it essentially provides a backdoor mechanism that bypasses all normal access control measures and allows complete system compromise through simple HTTP request sequences.

Responsible

VulnCheck

Reservation

06/29/2026

Disclosure

07/10/2026

Moderation

accepted

CPE

ready

EPSS

0.00000

KEV

no

Activities

very low

Sources

Do you know our Splunk app?

Download it now for free!