Written by Anthony Carballo
on October 11, 2019


Researchers at Radically Open Security (ROS) have discovered a critical Remote Code Execution (RCE) vulnerability that has existed for over 7 years on the iTerm2 macOS terminal emulator app.

iTerm2 is a free and open-source terminal emulator for Mac that offers multiple windows in independent sessions, a robust search tool coupled with handy auto-complete commands, and some other cool features.

The RCE flaw is tracked under CVE-2019-9535, the same was discovered as part of an independent security audit funded by the Mozilla Open Source Support Program (MOSS), there is no official score calculated yet that's published, however, using the tool from NIST we made our calculation, exploiting this vulnerability is not a very complicated task, but it would require some degree of user interaction or trickery, it can be exploited via commands, it's generally considered benign, but there is a high degree of concern about the potential impact if exploited. After calculations, we believe this vulnerability can be classified as a High severity as per the industry-standard Common Vulnerability Scoring System (CVSS) since the impact would be high if exploited.



This vulnerability may allow an attacker to execute arbitrary commands on their victim's computer by sending specially crafted output to the terminal; an attacker could exploit this vulnerability to execute arbitrary commands on the system, caused by an integration error with tmux's control mode.

It could be exploited using command-line utilities that print attacker-controlled content. Potential attack vectors include connecting via SSH to a malicious server, using curl to get a malicious website, or using tail -f to follow a log file containing some malicious content.

You can watch a PoC (Proof of Concept) made by the Mozilla Open Source Support Program (MOSS).



This vulnerability is tracked under:



CVSS Overall Score: 8.5 (High)




iTerm2 is a popular tool for macOS users and frequently used by developers. MOSS has chosen iTerm2 for a security audit as it processes untrusted data, and it is widely used, including by high-risk targets like developers and system administrators.

During the audit where ROS collaborated, it was identified that this vulnerability in the tmux integration has existed for at least 7 years. An attacker who can produce output to the terminal can, in many cases, execute commands on the user's computer.

Fortunately, before releasing this news, iTerm2 did fix it and released a patched version of the tool, you can follow the recommendations below.



An update to iTerm2 is now available with mitigation for this issue. While iTerm2 will eventually prompt you to update automatically, we recommend you proactively update by going to the iTerm2 menu and choosing "Check for update". The fix is available in version 3.3.6. Also, we also believe that you can find here excellent tips if you use tmux .


TTPs: Tactics, techniques and procedures

Let Us Know What You Thought about this Post.

Put your Comment Below.

You may also like:

Vulnerability Threat report

CryptoAPI Spoofing Vulnerability, Windows flaw discovered by the NSA

Microsoft released patches addressing 49 vulnerabilities as part of their monthly Patch Tuesday announcement. Among the ...

Vulnerability Threat report

Linux bug – Adversaries can hijack your VPN connection

Security testers from the University of New Mexico discovered a vulnerability, tracked as CVE-2019-14899, that can be ex...


Dexphot - Why Your Antivirus Isn't Enough.

Security researchers at Microsoft have been tracking a new strain of cryptocurrency miner, they named it Dexphot, based ...