External risk intelligence

Hermes WebUI Unauthenticated Remote Code Execution via Terminal API

CVE advisorySeverity: CRITICAL (CVSS 9.3)

CVE-2026-58123

The vulnerability exists in a WebUI component that exposes an unauthenticated terminal API endpoint. As a web-based management interface designed for remote access, such endpoints are typically exposed to the network to provide administrative functionality, making them highly likely to be internet-facing in standard deployments.

Missing Authentication

Halo Surface Signal: 5 out of 5 — more likely to be public-facing.

External exposure likelihood

Horizon Alert

Summary of the vulnerability and why it matters

This advisory details a critical vulnerability in the Hermes WebUI, specifically related to its embedded terminal API. An unauthenticated remote code execution flaw allows attackers to run arbitrary commands as the server process user by chaining four unauthenticated HTTP requests. The main concern is confirming relevance and exposure.

  • Unauthenticated attackers can run commands remotely.
  • Matters because WebUI is designed for remote access.
  • Confirm relevance and exposure to affected systems.

Attack Path

How an attacker could exploit the issue

An attacker can remotely execute commands on the server by exploiting flaws in the Hermes WebUI's terminal API. This attack begins with an unauthenticated threat actor sending a series of HTTP requests to access the embedded terminal. By creating a session and writing commands through the terminal's input, the attacker can gain full control of the server, operating with the same privileges as the server process.

  • Requires no authentication to access.
  • Unauthenticated terminal API endpoints.
  • Full remote command execution.

Live Threat

Current exploitation, exposure, and threat context

This vulnerability could allow unauthenticated attackers to execute arbitrary shell commands on the server. By chaining four unauthenticated HTTP requests, an attacker can create a terminal session, attach a PTY shell, and send commands through the input endpoint. This could lead to full command execution as the user running the server process.

  • Server process commands.
  • Unauthenticated terminal API access.
  • Full command execution as server user.

Operational Fix

Recommended remediation, mitigation, and detection steps

The Hermes WebUI's unauthenticated remote code execution vulnerability likely falls under the purview of platform or infrastructure teams responsible for managing the application's hosting environment, potentially in coordination with application owners if the WebUI is a distinct application. The first practical step is to identify all instances of the Hermes WebUI, determine their network exposure, and ascertain if they are business-critical.

  • Platform/Infrastructure teams own remediation.
  • Verify network exposure and critical assets.
  • Plan remediation based on risk assessment.

Supplementary metadata

Validate whether this threat affects your internet-facing exposure.

Halo Threat Intelligence helps prioritize remediation with Halo Surface Signal and H/A/L/O context. Start exposure validation with a free external attack surface trial.

Frequently asked questions

What is Hermes WebUI?

Hermes WebUI is a management interface used to oversee and interact with server-side processes through a browser. It provides administrative functionality, such as terminal access, allowing users to perform system tasks remotely. It is often integrated into infrastructure environments to simplify the management of applications and services.

How does CVE-2026-58123 enable command execution?

This vulnerability is classified as CWE-306, which refers to Missing Authentication for Critical Function. In this case, the application's terminal API endpoints fail to verify if a user is authorized. By sending four specific, unauthenticated HTTP requests, an attacker can create a terminal session, attach a pseudo-terminal (PTY) shell, and execute arbitrary system commands with the privileges of the web server process.

What triggers this vulnerability in Hermes WebUI?

The flaw is triggered by sending a specific sequence of four unauthenticated HTTP requests to the embedded terminal API. It does not require any prior user session or credentials. Importantly, the vulnerability is not triggered by standard web navigation; it specifically requires interactions with the terminal API endpoints designed for shell access.

Why is this a risk for my network?

According to Halo Surface Signal, this vulnerability is very likely to be a concern because the affected component is a management interface. Because these tools are designed for remote administration, they are frequently deployed in ways that make them accessible over a network. If your instance is internet-facing, it is reachable by external actors without any authentication requirements.

How should I respond to this Hermes WebUI advisory?

Begin by creating an inventory of all systems running Hermes WebUI within your environment. Once identified, evaluate the network placement of these instances to determine if they are exposed to untrusted networks. Prioritize securing or isolating any instances that are reachable remotely while coordinating with your infrastructure teams to apply updates that resolve the unauthenticated access flaw.

References