We don’t usually talk about terminal emulators in cyber risk meetings. But I think we should and you probably will too, after you read my final thought.While headlines focus on the latest ransomware campaign or phishing attacks, quietly lurking in the background are thousands of outdated, insecure java based or desktop emulators — still running in banks, logistics firms, and public agencies, often untouched for years. And threat actors know it.State-Backed Actors Have Taken NoticeIn recent years, APT groups like Lazarus (North Korea) and APT41 (China) have directly targeted terminal emulators.Lazarus, for instance, was caught distributing a trojanised version of PuTTY, one of the most common terminal emulators in the world, which opened a backdoor to systems inside financial institutions. APT41, meanwhile, used stolen credentials and poorly configured terminal access to penetrate healthcare networks.This isn’t theoretical anymore — these tools are exploitable, the exploits are known and they are being weaponized.Why Terminal Emulators Are So VulnerableThe reasons are straightforward, and alarming:
- They’re desktop-based, meaning updates rely on every machine being patched — a tall order at enterprise scale.
- They rely on vendors writing updates for them, which just doesn't happen, to-wit be very afraid if you are an organisation that uses Microfocus Reflections, Opentext Host Explorer or IBM Host of Demand, to name but a few, if you are using one of these or simply can't remember your last security update, probably best to just stop reading this now and email info@flynet.email instantly.
- They use stateful protocols like 3270 and 5250, which are brittle over modern networks and easily exploited.
- They often lack MFA, session management, and audit controls, making lateral movement inside the network easy.
And yet, these emulators still provide direct access to the crown jewels of the business — core transactional systems, databases, and back-office workflows.The Broader Context: Retail Attacks Are a Warning ShotRecent, or should I say ongoing cyber incidents at Marks & Spencer, Harrods, and the Co-op have made national news in the UK — previous US based incidents at CVS, Neiman Marcus, JD Sports, Forever 21 etc. the list goes on, certainly indicate retailers are in the cyber criminals sights. While there’s no suggestion terminal emulators were to blame, these events are a reminder of how fragile retail infrastructure can be when legacy access points are overlooked.Cyber attackers go where the defenses are weakest. If your emulator hasn't been updated in years, runs on end-user desktops or in deprecated applets, and opens direct sessions to your back-end systems… that’s a cyber criminal gift. What Needs to ChangeIf we want to reduce our risk surface, we must:
- Move terminal access to an enterprise platform, where it can be centrally managed, patched, monitored and made instantly accessable using a modern web browser.
- Convert stateful protocols into stateless HTML over TCP/IP, enabling resilience across mobile, cloud, and hybrid networks.
- Add security by design: SSO, RBAC, Fed ID, IAM, encryption, and session auditing.
At Flynet, we’ve spent years solving this — not just modernizing interfaces, but making mainframe and midrange access secure by default.Final ThoughtMake sure the CISO is involved in any emulator safety discussion in your enterprise. I was recently in a discussion with a large French retailer, whose technical manager chose a free, high risk open source Java based emulator, that risks just about every part of a 20 billion euro enterprise from direct revenue to share price, just to save a few Euros, so this is still happening people, folks don't think it can happen to them, until it does. Nobody thinks of terminal emulators as the frontline in cyber defense. But maybe it’s time we did. Concerned about your Mainframe's secuirty? Contact Flynet today for a free consultation.