Before version 2.1.0, Termix issued a temporary JWT named temp_token for TOTP‑enabled accounts during login. The token, marked as pendingTOTP, was intended only for the second‑factor flow, but the authentication middleware accepted it on ordinary authenticated endpoints. As a result, attackers who had knowledge of a user’s password could obtain the temp_token and use it to access any system functionality, effectively disabling two‑factor authentication and allowing unauthorized actions. The flaw is characterized by CWE‑304, which involves the improper use of mutable tokens across privileged contexts.

The vulnerability applies to the Termix web‑based server management platform, specifically all releases older than 2.1.0. The affected product is Termix, provided by Termix‑SSH, and it includes the SSH terminal, tunneling, and file editing features that are now accessible with the compromised token.

The CVSS score of 8.1 indicates a high severity exploit. No EPSS score is available, so the exact likelihood of exploitation cannot be quantified, but the lack of a KEV listing suggests the vulnerability is not yet known to be actively exploited in the wild. The attack vector would require an attacker to first authenticate with a valid username and password, then capture the temporary token from the login process or from an existing session cookie. Given the token’s broader acceptance, the exploitation could grant a wide range of actions without further privilege escalation, compromising confidentiality and integrity across the affected system.