Skip to main content
Live Webinar with SANS (June 25)— Agentic CTI Automation for Fun & ProfitRegister Free
Mallory
Back to vulnerabilities
CriticalPublic exploit

Authentication bypass in Termix Docker image exposing SSH credentials

IdentifiersCVE-2025-59951CWE-284· Improper Access Control

CVE-2025-59951 is a critical authentication bypass vulnerability affecting the official Docker image of Termix, a web-based server management platform that provides SSH terminal, tunneling, and file editing capabilities. In Termix 1.5.0 and earlier, when deployed with the official Docker image or built from the official Dockerfile using the bundled Nginx reverse proxy behavior, the backend uses req.ip and receives the reverse proxy's IP rather than the real client IP. This causes the isLocalhost check to always evaluate to true. As a result, the internal endpoint /ssh/db/host/internal, which is intended to be restricted, can be accessed remotely without login or authentication. The endpoint exposes stored SSH host records, including host addresses, usernames, and passwords.

Share:
For your environment

Are you exposed to this one?

Mallory correlates every CVE against your assets, your vendors, and active adversary campaigns. Know which vulnerabilities matter for you, not just which ones are loud.

Start free trial
ANALYST BRIEF

Impact, mitigation & remediation

What it means. What to do now. Patch path, mitigations, and the assume-compromise checklist.

Impact

What an attacker gets, and what they’ve been doing with it.

A remote unauthenticated attacker can directly access sensitive SSH host inventory and credential material stored by Termix. Exposed data includes addresses, usernames, and passwords for managed SSH hosts. This can enable immediate compromise of downstream systems, unauthorized administrative access, lateral movement, credential reuse attacks, and broader infrastructure exposure. The issue is high severity because it converts an internal-only credential store into remotely accessible data without authentication.

Mitigation

If you can’t patch tonight, do this now.

If immediate upgrade is not possible, restrict network access to the Termix instance and specifically block external access to /ssh/db/host/internal at the reverse proxy, ingress, firewall, or WAF layer. Disable or tightly constrain reverse proxy configurations that cause the application to trust the proxy IP as the client IP. Limit exposure of the management interface to trusted administrative networks only. Monitor for requests to /ssh/db/host/internal and treat any historical exposure as potential credential compromise, with corresponding credential rotation and host review.

Remediation

Patch, then assume compromise.

Upgrade Termix to version 1.6.0 or later, where the issue is fixed. Replace affected official Docker images and rebuild any self-built images derived from the vulnerable official Dockerfile. Review and correct reverse-proxy trust and client IP handling so localhost-only logic is not based on the proxy IP. Audit access controls for /ssh/db/host/internal and verify it is no longer reachable without authentication. Because SSH credentials may have been exposed, rotate stored SSH passwords and any related credentials, and review logs for unauthorized access.
PUBLIC EXPLOITS

Exploits

No public exploits tracked yet. Mallory keeps watching.

VALID 0 / 0 TOTALView more in app

No public exploit code observed for this vulnerability.

EXPOSURE SURFACE

Affected products & vendors

Products and vendors Mallory has correlated with this vulnerability. Open in Mallory to drill down to specific CPE configurations and version ranges.

VendorProductType
TermixTermixapplication

Vendor-confirmed product mapping. Mallory continuously reconciles this list against your asset inventory.

ACTIVITY FEED

Recent activity

10 sources tracked across advisories, community write-ups, and news. New activity surfaces here as Mallory finds it.

10 SOURCESView more in app
the hacker newsNews
Oct 6, 2025
⚡ Weekly Recap: Oracle 0-Day, BitLocker Bypass, VMScape, WhatsApp Worm & More

A critical vulnerability in Termix Docker, details not specified in the content.

Read more
security online infoNews
Oct 2, 2025
Critical Flaw in Termix Docker Image (CVE-2025-59951) Leaks SSH Credentials Without Authentication

A critical vulnerability in the Termix Docker image that leaks SSH credentials without authentication.

Read more
cvefeed high severityNews
Oct 1, 2025
CVE-2025-59951 - Termix' official Docker image contains an authentication bypass vulnerability

An authentication bypass vulnerability in the official Termix Docker image that allows unauthenticated access to the /ssh/db/host/internal endpoint and exposure of stored SSH host information, including addresses, usernames, and passwords.

Read more
What this page doesn’t show

The version that knows your environment.

This page is what’s public. Mallory adds the parts that aren’t: which of your assets are affected, which adversaries are exploiting it right now, which detections to deploy, and what to do tonight.
Start free trial
Exposure mapping

Query your assets running an affected version, and investigate the blast radius.

Threat actor evidence

Every observed campaign linking this CVE to a named adversary.

Associated malware

Malware families riding this exploit, with evidence and IOCs.

Detection signatures

YARA, Sigma, Snort, and vendor rules, auto-deployed to your SIEM.

Vendor-by-vendor mapping

Cross-references every affected SKU, including bundled OEM variants.

Social activity7

Community discussion across Reddit, Mastodon, and other social sources.

EXTERNAL REFERENCES
MITRE CVE
cve.org · CVE-2025-59951
NVD
nvd.nist.gov/vuln/detail/CVE-2025-59951
MITRE CWE · CWE-284
Improper Access Control
Patch
github.com/LukeGus/Termix/pull/221
Vendor Advisory
github.com/LukeGus/Termix/security/advisories/GHSA-92cw-877q-6r94