emp3r0r permits an attacker who can insert untrusted agent metadata, such as Transport or Hostname, during a check‑in operation to inject arbitrary shell commands into tmux session startup strings. The vulnerable code concatenates the metadata into a shell command executed via /bin/sh -c, providing a classic command injection path that ultimately yields remote code execution on the operator's Linux host. This vulnerability can compromise confidentiality, integrity, and availability of the operator's systems, and is rooted in CWE‑77 and CWE‑78.

All releases of the emp3r0r command‑and‑control client from the jm33‑m0 project prior to version 3.21.1 are affected. Versions 3.21.1 and newer include the fix that sanitizes or removes untrusted metadata before it is used in tmux command strings. The affected product is the emp3r0r agent for Linux environments.

The CVSS v3 score of 9.3 indicates a high severity vulnerability, while the EPSS score of less than 1% suggests that exploitation is rare at present. The vulnerability is not listed in the CISA Known Exploited Vulnerabilities catalog, indicating no documented exploitation yet. Exploitation requires an attacker to control or influence the metadata sent by an agent during check‑in, which is typically possible if they can compromise a compromised host or supply custom agents. If successful, the injection occurs through the operator's tmux session, allowing the attacker to execute arbitrary commands on the host. Users of older emp3r0r versions should consider this a high‑risk exposure, especially in environments where operators rely on tmux for session management.