Termix, a web-based server management platform, contains a missing ownership check for its file‑manager endpoints. An authenticated user can supply any session identifier (sessionId) and the system will accept it without verifying that the session belongs to that user. This flaw allows the attacker to read, write, delete, download, and execute files on the host machine connected via SSH, effectively giving the attacker the ability to run arbitrary code on the victim’s system. The underlying weakness is an Insecure Direct Object Reference (CWE‑639).

The vulnerability affects all instances of Termix up to, but not including, version 2.3.2. Users of Termix provided by Termix‑SSH are at risk if they have not upgraded beyond 2.3.2, as earlier releases expose all 16 file‑manager endpoints without session ownership validation.

The CVSS score of 8.1 ranks this issue as high severity. An attacker who is authenticated and who learns or guesses another user’s sessionId can exploit the flaw with little or no additional prerequisites. Because the EPSS score is not available, the precise exploitation probability is unclear, but the flaw is not listed in the CISA KEV catalog, indicating that no publicly known exploitation campaigns have been documented yet. In practice, the simplest attack path requires only knowledge of a sessionId, making the exploit likely for attackers who can target a single user or a group of users within the same Termix instance.