Horizon Alert
Summary of the vulnerability and why it matters
This advisory details a critical vulnerability in the Hermes WebUI, specifically related to its embedded terminal API. An unauthenticated remote code execution flaw allows attackers to run arbitrary commands as the server process user by chaining four unauthenticated HTTP requests. The main concern is confirming relevance and exposure.
- Unauthenticated attackers can run commands remotely.
- Matters because WebUI is designed for remote access.
- Confirm relevance and exposure to affected systems.
Attack Path
How an attacker could exploit the issue
An attacker can remotely execute commands on the server by exploiting flaws in the Hermes WebUI's terminal API. This attack begins with an unauthenticated threat actor sending a series of HTTP requests to access the embedded terminal. By creating a session and writing commands through the terminal's input, the attacker can gain full control of the server, operating with the same privileges as the server process.
- Requires no authentication to access.
- Unauthenticated terminal API endpoints.
- Full remote command execution.
Live Threat
Current exploitation, exposure, and threat context
This vulnerability could allow unauthenticated attackers to execute arbitrary shell commands on the server. By chaining four unauthenticated HTTP requests, an attacker can create a terminal session, attach a PTY shell, and send commands through the input endpoint. This could lead to full command execution as the user running the server process.
- Server process commands.
- Unauthenticated terminal API access.
- Full command execution as server user.
Operational Fix
Recommended remediation, mitigation, and detection steps
The Hermes WebUI's unauthenticated remote code execution vulnerability likely falls under the purview of platform or infrastructure teams responsible for managing the application's hosting environment, potentially in coordination with application owners if the WebUI is a distinct application. The first practical step is to identify all instances of the Hermes WebUI, determine their network exposure, and ascertain if they are business-critical.
- Platform/Infrastructure teams own remediation.
- Verify network exposure and critical assets.
- Plan remediation based on risk assessment.