📄 Description (English)
Tabby (formerly Terminus) is a highly configurable terminal emulator. Prior to 1.0.233, Tabby registers itself as the handler for the tabby:// URL scheme on all platforms. The URL scheme handler supports a run command that directly executes OS commands with no user confirmation, sanitization, or sandboxing. An attacker can craft a malicious link (tabby://run?command=...) and deliver it via a website, email, chat message, or any other medium. When a victim clicks the link, the OS launches Tabby which immediately spawns the specified command as a child process with the user's full privileges. This is a zero-click-after-link-visit RCE vulnerability. This vulnerability is fixed in 1.0.233.
🤖 AI Executive Summary
Tabby terminal emulator versions prior to 1.0.233 contain a critical remote code execution vulnerability through the tabby:// URL scheme handler. The vulnerability allows unauthenticated attackers to execute arbitrary OS commands with user privileges by crafting malicious links, requiring only that a victim clicks the link. This represents a severe risk for organizations where developers and system administrators use Tabby, as exploitation requires minimal attacker effort and no user interaction beyond clicking a link.
📄 Description (Arabic)
🤖 AI Intelligence Analysis Analyzed: May 20, 2026 09:00
🇸🇦 Saudi Arabia Impact Assessment
This vulnerability poses significant risk to Saudi government agencies (NCA, NCSC), financial institutions (SAMA-regulated banks), and critical infrastructure operators (ARAMCO, SEC) where technical staff use Tabby for system administration and development. The risk is particularly acute in organizations with high-value targets, as compromised developer/admin accounts could lead to lateral movement, data exfiltration, or infrastructure sabotage. Telecom operators (STC, Mobily) and healthcare institutions using Tabby for infrastructure management are also at elevated risk. The vulnerability's ease of exploitation via email or messaging platforms makes it a preferred vector for targeted attacks against Saudi organizations.
🏢 Affected Saudi Sectors
Government (NCA, NCSC, Ministry of Interior)
Banking and Financial Services (SAMA-regulated institutions)
Energy and Utilities (ARAMCO, SEC)
Telecommunications (STC, Mobily, Zain)
Healthcare (MOH, private hospitals)
Defense and Security
Critical Infrastructure Operators
Technology and Software Development Companies
🎯 MITRE ATT&CK Techniques
T1204.001 - User Execution: Malicious Link
T1204.002 - User Execution: Malicious File
T1559.001 - Inter-Process Communication: Component Object Model
T1566.002 - Phishing: Spearphishing Link
T1566.001 - Phishing: Spearphishing Attachment
T1059.001 - Command and Scripting Interpreter: PowerShell
T1059.004 - Command and Scripting Interpreter: Unix Shell
T1059.003 - Command and Scripting Interpreter: Windows Command Shell
T1190 - Exploit Public-Facing Application
T1200 - Hardware Additions
T1566 - Phishing
T1598 - Phishing for Information
⚖️ Saudi Risk Score (AI)
9.2
/ 10.0
🔧 Remediation Steps (English)
IMMEDIATE ACTIONS:
1. Identify all systems running Tabby versions prior to 1.0.233 using asset inventory and endpoint detection tools
2. Disable or remove Tabby from systems where feasible, or restrict user access to trusted networks only
3. Alert users not to click on tabby:// links from untrusted sources
4. Monitor email gateways and web proxies for tabby:// URL patterns
PATCHING GUIDANCE:
1. Upgrade Tabby to version 1.0.233 or later immediately on all affected systems
2. Verify patch installation by checking application version in Tabby settings
3. Restart all instances of Tabby after patching
COMPENSATING CONTROLS (if immediate patching not possible):
1. Unregister tabby:// URL scheme handler: Remove registry entries (Windows) or plist entries (macOS) or desktop files (Linux) associated with Tabby URL handling
2. Implement application whitelisting to prevent Tabby execution
3. Use endpoint protection to block execution of Tabby with URL scheme parameters
4. Restrict Tabby to air-gapped or isolated networks
DETECTION RULES:
1. Monitor for process creation with parent process being browser or email client and child process being Tabby
2. Alert on any Tabby process spawning child processes with suspicious command-line arguments
3. Log and alert on tabby:// URL access attempts in proxy/firewall logs
4. Monitor registry/file system for tabby:// URL scheme handler registration changes
🔧 خطوات المعالجة (العربية)
الإجراءات الفورية:
1. تحديد جميع الأنظمة التي تقوم بتشغيل إصدارات Tabby السابقة للإصدار 1.0.233 باستخدام أدوات جرد الأصول والكشف عن نقاط النهاية
2. تعطيل أو إزالة Tabby من الأنظمة حيث يكون ذلك ممكناً، أو تقييد وصول المستخدم إلى الشبكات الموثوقة فقط
3. تنبيه المستخدمين بعدم النقر على روابط tabby:// من مصادر غير موثوقة
4. مراقبة بوابات البريد الإلكتروني والوكلاء على الويب للبحث عن أنماط URL tabby://
إرشادات التصحيح:
1. ترقية Tabby إلى الإصدار 1.0.233 أو أحدث فوراً على جميع الأنظمة المتأثرة
2. التحقق من تثبيت التصحيح بالتحقق من إصدار التطبيق في إعدادات Tabby
3. إعادة تشغيل جميع مثيلات Tabby بعد التصحيح
الضوابط البديلة (إذا لم يكن التصحيح الفوري ممكناً):
1. إلغاء تسجيل معالج مخطط URL tabby://: إزالة إدخالات السجل (Windows) أو إدخالات plist (macOS) أو ملفات سطح المكتب (Linux) المرتبطة بمعالجة URL Tabby
2. تنفيذ قائمة بيضاء للتطبيقات لمنع تنفيذ Tabby
3. استخدام الحماية من نقاط النهاية لحظر تنفيذ Tabby مع معاملات مخطط URL
4. تقييد Tabby على الشبكات المعزولة أو المنفصلة
قواعد الكشف:
1. مراقبة إنشاء العملية مع كون العملية الأب متصفح الويب أو عميل البريد الإلكتروني والعملية الفرعية هي Tabby
2. التنبيه على أي عملية Tabby تولد عمليات فرعية بمعاملات سطر أوامر مريبة
3. تسجيل والتنبيه على محاولات الوصول إلى URL tabby:// في سجلات الوكيل/جدار الحماية
4. مراقبة السجل/نظام الملفات لتغييرات تسجيل معالج مخطط URL tabby://
📋 Regulatory Compliance Mapping
🟢 NCA ECC 2024
A.5.1.1 - Information security policies and procedures
A.5.2.1 - User access management and authorization
A.5.3.1 - Cryptography and secure communications
A.5.4.1 - Physical and environmental security
A.5.5.1 - Operations security and change management
A.5.6.1 - Communications security
A.5.7.1 - System acquisition, development and maintenance
A.5.8.1 - Supplier relationships
A.5.9.1 - Information security incident management
🔵 SAMA CSF
Governance - Policy and Risk Management
Governance - Oversight and Accountability
Protective - Access Control
Protective - Data Protection
Protective - System and Communications Protection
Protective - Malware Protection
Responsive - Detection and Analysis
Responsive - Containment, Eradication and Recovery
🟡 ISO 27001:2022
5.1 - Policies for information security
5.3 - Segregation of duties
6.1 - Screening
6.2 - Terms and conditions of employment
7.1 - Physical and environmental entry
7.2 - Access to assets and associated facilities
8.1 - User endpoint devices
8.2 - Privileged access rights
8.3 - Information access restriction
8.6 - Access control for change of information
A.5.1.1 - Policies for information security
A.5.2.1 - User access management
A.5.3.1 - Cryptography
A.5.4.1 - Physical and environmental security
A.5.5.1 - Operations security
A.5.7.1 - Systems acquisition, development and maintenance
A.5.9.1 - Incident management
🟣 PCI DSS v4.0.1
1.1 - Firewall configuration standards
2.1 - Default security parameters
2.2.4 - Configure system security parameters
6.2 - Security patches and updates
6.5.1 - Injection flaws
8.1 - User identification and authentication
8.2 - Strong authentication
10.1 - Implement automated audit trails
10.2 - Implement automated mechanisms to restrict access
📦 Affected Products / CPE 1 entries
tabby:tabby