Login Sign Up

CVE-2023-46300

9.8 CRITICAL
Remote Code Execution

📋 TL;DR

CVE-2023-46300 is a critical remote code execution vulnerability in iTerm2's tmux integration feature. Attackers can exploit this by sending specially crafted escape sequences to execute arbitrary commands on the victim's system. All iTerm2 users with tmux integration enabled are affected.

💻 Affected Systems

Products:
  • iTerm2
Versions: All versions before 3.4.20
Operating Systems: macOS
Default Config Vulnerable: ⚠️ Yes
Notes: Only affects users with tmux integration enabled, but this is a common configuration for developers and system administrators.

📦 What is this software?

Iterm2 by Iterm2

View all CVEs affecting Iterm2 →

⚠️ Risk & Real-World Impact

🔴

Worst Case

Full system compromise with attacker gaining complete control over the victim's machine, allowing data theft, persistence installation, and lateral movement.

🟠

Likely Case

Remote code execution leading to malware installation, credential theft, and unauthorized access to sensitive data.

🟢

If Mitigated

Limited impact if tmux integration is disabled or proper network segmentation prevents malicious input.

🌐 Internet-Facing: HIGH - Attackers can exploit this remotely through various vectors including malicious websites, emails, or network services.
🏢 Internal Only: HIGH - Internal attackers or compromised systems can exploit this vulnerability within the network.

🎯 Exploit Status

Public PoC: ⚠️ Yes
Weaponized: LIKELY
Unauthenticated Exploit: ⚠️ Yes
Complexity: LOW

Public proof-of-concept code exists and exploitation requires minimal technical skill. Attack can be triggered through various input vectors.

🛠️ Fix & Mitigation

✅ Official Fix

Patch Version: 3.4.20 and later

Vendor Advisory: https://iterm2.com/news.html

Restart Required: Yes

Instructions:

1. Open iTerm2. 2. Go to iTerm2 → Check for Updates. 3. Install version 3.4.20 or later. 4. Restart iTerm2.

🔧 Temporary Workarounds

Disable tmux integration

all

Temporarily disable tmux integration feature to prevent exploitation

Go to iTerm2 → Preferences → Profiles → tmux → Uncheck 'Automatically start tmux sessions'

🧯 If You Can't Patch

  • Disable tmux integration completely in iTerm2 preferences
  • Use alternative terminal emulators until patch can be applied

🔍 How to Verify

Check if Vulnerable:

Check iTerm2 version in iTerm2 → About iTerm2. If version is below 3.4.20, you are vulnerable.

Check Version:

iTerm2 → About iTerm2 or check via command line: defaults read com.googlecode.iterm2 'CFBundleShortVersionString'

Verify Fix Applied:

Verify iTerm2 version is 3.4.20 or higher in iTerm2 → About iTerm2.

📡 Detection & Monitoring

Log Indicators:

  • Unusual process execution from iTerm2
  • Suspicious escape sequences in terminal logs
  • Unexpected tmux session creation

Network Indicators:

  • Malicious escape sequences in network traffic to terminal sessions
  • Unexpected outbound connections from iTerm2 processes

SIEM Query:

process_name:iTerm2 AND (process_command_line:*tmux* OR process_command_line:*escape* OR process_command_line:*\x1b*)

📊 Metadata

CVE ID: CVE-2023-46300
CVSS v3 Score: 9.8 (CRITICAL)
CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
CWE: CWE-116
Published: October 22, 2023
Last Updated: November 21, 2024

🔗 References

📤 Share & Export

📄 Export Markdown 📋 Export JSON

🔗 Related Vulnerabilities

If you're affected by CVE-2023-46300, you might also want to check these:

CVE-2025-55729 10.0

CVE-2025-55729 is a critical remote code execution vulnerability in XWiki Remote Macros that allows ...

Same vulnerability type (CWE-116)
CVE-2022-23603 9.9

CVE-2022-23603 is a code injection vulnerability in iTunesRPC-Remastered, a Discord rich presence ap...

Same vulnerability type (CWE-116)
CVE-2024-38474 9.8

A substitution encoding vulnerability in Apache HTTP Server's mod_rewrite module allows attackers to...

Same vulnerability type (CWE-116)