CVE-2024-38396 – This vulnerability in iTerm2 allows remote code... (How to Fix)

📋 TL;DR

This vulnerability in iTerm2 allows remote code execution through malicious escape sequences in window titles when tmux integration is enabled. Attackers can inject arbitrary commands that execute when users view specially crafted content in their terminal. All iTerm2 users with tmux integration enabled (default) on affected versions are vulnerable.

💻 Affected Systems

Products:

iTerm2

Versions: 3.5.x before 3.5.2

Operating Systems: macOS

Default Config Vulnerable: ⚠️ Yes

Notes: Requires tmux integration feature which is enabled by default. Users must view malicious content containing escape sequences.

📦 What is this software?

Iterm2 by Iterm2

View all CVEs affecting Iterm2 →

⚠️ Risk & Real-World Impact

🔴

Worst Case

Full system compromise with attacker gaining complete control of the user's system, data theft, and lateral movement within the network.

🟠

Likely Case

Remote code execution leading to malware installation, credential theft, or data exfiltration when users interact with malicious content.

🟢

If Mitigated

Limited impact with proper network segmentation and user privilege restrictions, though code execution at user level still possible.

🌐 Internet-Facing: MEDIUM

🏢 Internal Only: HIGH

🎯 Exploit Status

Public PoC: ⚠️ Yes

Weaponized: LIKELY

Unauthenticated Exploit: ⚠️ Yes

Complexity: LOW

Exploit requires user interaction (viewing malicious content) but no authentication. Public proof-of-concept available.

🛠️ Fix & Mitigation

✅ Official Fix

Patch Version: 3.5.2

Vendor Advisory: https://iterm2.com/downloads.html

Restart Required: Yes

Instructions:

1. Download iTerm2 3.5.2 or later from https://iterm2.com/downloads.html
2. Install the update
3. Restart iTerm2

🔧 Temporary Workarounds

Disable tmux integration

all

Temporarily disable the vulnerable tmux integration feature

Go to iTerm2 Preferences > General > Magic > Uncheck 'Enable tmux integration'

Filter escape sequences

all

Configure terminal to filter or sanitize escape sequences

🧯 If You Can't Patch

Disable tmux integration in iTerm2 preferences
Restrict user privileges to limit impact of potential code execution

🔍 How to Verify

Check if Vulnerable:

Check iTerm2 version in menu: iTerm2 > About iTerm2. If version is 3.5.0 or 3.5.1, you are vulnerable.

Check Version:

iTerm2 > About iTerm2

Verify Fix Applied:

Verify version is 3.5.2 or later in About iTerm2 dialog.

📡 Detection & Monitoring

Log Indicators:

Unusual process execution from iTerm2
Suspicious escape sequences in terminal logs

Network Indicators:

Unexpected outbound connections from terminal sessions

SIEM Query:

process.name:iTerm2 AND (process.version:3.5.0 OR process.version:3.5.1)

📊 Metadata

CVE ID: CVE-2024-38396

CVSS v3 Score: 9.8 (CRITICAL)

CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

CWE: CWE-94

Published: June 16, 2024

Last Updated: June 20, 2025

🔗 References

📤 Share & Export

📄 Export Markdown 📋 Export JSON

🔗 Related Vulnerabilities

If you're affected by CVE-2024-38396, you might also want to check these: