CVE-2022-46387 – This vulnerability in ConEmu and Cmder terminal... (How to Fix)

Q: What is the severity of CVE-2022-46387?

CVE-2022-46387 has a CVSS score of 9.8 (CRITICAL). This vulnerability in ConEmu and Cmder terminal emulators allows attackers to inject malicious commands by manipulating the terminal title with control characters. When exploited, it enables arbitrary command execution with the privileges of the terminal user. Users of vulnerable ConEmu (through 220807) and Cmder (before 1.3.21) versions are affected.

📋 TL;DR

This vulnerability in ConEmu and Cmder terminal emulators allows attackers to inject malicious commands by manipulating the terminal title with control characters. When exploited, it enables arbitrary command execution with the privileges of the terminal user. Users of vulnerable ConEmu (through 220807) and Cmder (before 1.3.21) versions are affected.

💻 Affected Systems

Products:

ConEmu
Cmder

Versions: ConEmu through 220807, Cmder before 1.3.21

Operating Systems: Windows

Default Config Vulnerable: ⚠️ Yes

Notes: Affects default installations. Requires user interaction (viewing malicious content or connecting to malicious server) to trigger.

📦 What is this software?

Cmder by Cmder

View all CVEs affecting Cmder →

Conemu by Maximus5

View all CVEs affecting Conemu →

⚠️ Risk & Real-World Impact

🔴

Worst Case

Full system compromise via arbitrary command execution leading to privilege escalation, data exfiltration, ransomware deployment, or complete system takeover.

🟠

Likely Case

Local privilege escalation, credential theft, lateral movement within network, and installation of persistent backdoors.

🟢

If Mitigated

Limited impact with proper network segmentation, least privilege principles, and endpoint protection that blocks suspicious terminal commands.

🌐 Internet-Facing: LOW - This primarily requires local access or social engineering to trigger, not directly exploitable over internet.

🏢 Internal Only: HIGH - Significant risk in internal environments where users run vulnerable terminals, especially with elevated privileges.

🎯 Exploit Status

Public PoC: ⚠️ Yes

Weaponized: LIKELY

Unauthenticated Exploit: ✅ No

Complexity: LOW

Exploitation requires user to view malicious content or connect to malicious server. Proof-of-concept available in public gists.

🛠️ Fix & Mitigation

✅ Official Fix

Patch Version: ConEmu after 220807, Cmder 1.3.21 and later

Vendor Advisory: https://github.com/cmderdev/cmder/blob/master/CHANGELOG.md

Restart Required: Yes

Instructions:

1. Update ConEmu to version after 220807. 2. Update Cmder to version 1.3.21 or later. 3. Restart terminal applications after update.

🔧 Temporary Workarounds

Disable Title Reporting

windows

Prevent terminal from reporting title information that could contain malicious control characters

Set ConEmu setting: Settings > Features > ANSI X3.64 and xterm sequences > Disable 'Process ANSI'

Use Alternative Terminal

windows

Temporarily switch to non-vulnerable terminal emulator like Windows Terminal or PowerShell

🧯 If You Can't Patch

Implement application allowlisting to block execution of unauthorized terminal applications
Enforce least privilege principles - ensure users run terminals with minimal necessary permissions

🔍 How to Verify

Check if Vulnerable:

Check ConEmu version (Help > About) is 220807 or earlier, or Cmder version (cmder.exe /ver) is before 1.3.21

Check Version:

ConEmu: Help > About dialog; Cmder: cmder.exe /ver or check CHANGELOG.md

Verify Fix Applied:

Confirm ConEmu version is after 220807 or Cmder version is 1.3.21 or later

📡 Detection & Monitoring

Log Indicators:

Unusual terminal title changes containing control characters
Suspicious command execution from terminal processes

Network Indicators:

Connections to suspicious servers followed by unusual terminal activity

SIEM Query:

Process Creation where (Image contains 'conemu' OR Image contains 'cmder') AND CommandLine contains unusual control characters

📊 Metadata

CVE ID: CVE-2022-46387

CVSS v3 Score: 9.8 (CRITICAL)

CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

CWE: CWE-116

Published: March 28, 2023

Last Updated: February 19, 2025

🔗 References

https://gist.github.com/dgl/05ca60cdc7efc9e47bbc58d0c952635e Third Party Advisory
https://github.com/cmderdev/cmder/blob/master/CHANGELOG.md Release Notes
https://gist.github.com/dgl/05ca60cdc7efc9e47bbc58d0c952635e Third Party Advisory
https://github.com/cmderdev/cmder/blob/master/CHANGELOG.md Release Notes

📤 Share & Export

📄 Export Markdown 📋 Export JSON

🔗 Related Vulnerabilities

If you're affected by CVE-2022-46387, you might also want to check these: