iTerm2 Flaw Abuses SSH Integration Escape Sequences to Turn Text Into Code Execution

A newly disclosed vulnerability in the popular iTerm2 macOS terminal emulator shows that even viewing a simple text file can lead to arbitrary code execution under certain conditions.

Security researchers, working alongside OpenAI, uncovered the flaw, which abuses iTerm2’s SSH integration and its handling of terminal escape sequences.

How the Flaw Works

iTerm2 includes an SSH integration feature designed to improve user experience by understanding remote sessions more intelligently.

As part of this feature, iTerm2 deploys a small helper script called a “conductor” on remote systems. This script communicates with the terminal using special escape sequences such as DCS 2000p and OSC 135.

The issue arises because iTerm2 does not properly verify whether these escape sequences originate from a trusted SSH session.

Instead, it blindly trusts terminal output. This creates an opportunity for attackers to inject malicious sequences into otherwise harmless-looking content.

Attackers can embed malicious escape sequences in:

• Text files (e.g., README files)
• Server responses
• Login banners or terminal output

When a user runs a basic command like cat readme.txtThe attack is triggered. The malicious content impersonates the SSH conductor and tricks iTerm2 into initiating its integration workflow.

The process unfolds as follows:

• A forged DCS 2000p sequence signals a fake SSH session.
• Fake OSC 135 messages respond to iTerm2 prompts.
• iTerm2 attempts to send commands back via the local pseudoterminal (PTY).
• Since no real SSH session exists, the local shell interprets these responses as direct commands.

To achieve code execution, attackers manipulate a field known as sshargs. This value is crafted so that when iTerm2 encodes its response in base64, part of the resulting string becomes a valid file path.

If a malicious executable exists at that path, the local shell will execute it automatically. This technique bypasses typical security warnings because the commands appear to originate from legitimate terminal behavior.

This vulnerability highlights a deeper trust issue in terminal emulators, where output is often treated as safe by default.

In this case, simply displaying untrusted content can result in command execution without explicit user intent.

The flaw effectively turns terminal output into an attack vector, challenging long-standing assumptions about command-line safety.

Researchers reported the issue to the iTerm2 development team on March 30, 2026. A fix was quickly introduced the next day via commit a9e74599.

However, the patch has not yet been included in stable public releases.

Until an official update is widely available, users should take precautions:

• Avoid opening untrusted text files in iTerm2.
• Be cautious when connecting to unknown or untrusted servers.
• Disable SSH integration features if not required.

This incident serves as a reminder that even trusted tools like terminal emulators can become attack surfaces when assumptions about input validation fail.

Follow us on Google News , LinkedIn and X to Get More Instant Updates. Set Cyberpress as a Preferred Source in Google

The post iTerm2 Flaw Abuses SSH Integration Escape Sequences to Turn Text Into Code Execution appeared first on Cyber Security News.