What if the software you trust most to reach your core systems is the one thing no one ever pen-tests? That can't be right can it, the CISO's team and the SOC scan everything don't they?, err no, trust me there is an infectious pathogen called 'terminal emulator blindness', it's ok though because so are the terminal emulation vendors, so it's a shared illness.
Now, we stir into the cocktail 'of least secure bit of software' on the 'biggest threat surface end point' in the organisation, the fact that a lot of folk work from home now, what does that mean I hear you ask, well let me tell you:
- Shared home devices
- Malware riddled kiddy PC's
- Default-password routers
- Split-tunnel VPNs leaking traffic
- Machines with no patch cadence or endpoint telemetry
Attackers don’t need to breach your datacentre. They just need to compromise an employee's beachhead. We build huge digital castles to defend our crucial assets, then we let our most vulnerable end points play in the sea of snakes that is most home wifi networks...it happens, it's the way it is, but ignoring the truth because everyone else does, is starting to fall apart.
APT groups love it, phishing VPN creds, hijacking saved sessions, scraping host macros, a lot of which contain plain text name and passwords combinations, they were written in a time when this type of Cyber was science fiction. For the Cyber criminal community, work-from-home wasn’t disruption. It was the distribution of lowered drawbridges.
Rewind for Context, Terminal Emulators Were Born Before Cyber Was a Thing
These tools were built for a simpler time, promenading maybe, doffing one's hat, a time of office cubicles, cables, and castles. Their entire model assumed:
- Everyone was on-site.
- Desktops were trusted.
- The corporate network was a fortress.
Nobody thought a terminal emulator could be an attack vector. But that assumption hardened into a culture, and that culture aged badly, think Dorian Gray.
Why Fat Clients Are a Dream for APTs
- Privilege & trust: Admin-level execution on domain-joined machines.
- Stored credentials: Plaintext or weakly protected protocols.
- Macros: Human readable scripts with name and pwd credentials in plaintext.
- No telemetry tracking capability: What does “normal use" even look like.
- Protocol complexity: 3270/5250/VT quirks = hidden exploits.
- Loose update chains: Easy DLL injection or tampering.
They’re not just tools, they’re tunnels with RSVP's.
So why the Grey App of the Corporate Enterprise
In “Your Compliance Officer Is Blind…” I wrote that most frameworks only audit what’s visible, access lists, logs, firewall configs, not the connectivity fabric itself. The terminal emulator for whatever reason, is always invisible. I've seen every other bit of software vetted so many times, but no entry in the log for the terminal emulator, it's the grey app of the corporate enterprise.
And in “Audit-Proof Mainframe Access,” I described how unlogged macros, shared credentials, and opaque sessions can unravel any illusion of traceability. When I tell people that Macro's often hold tertiary system access credentials in VB scripts, or PSL scripts (basically plain text), chins normally fall to the floor, all the security efforts made organisation wide, fall foul to little text files sitting on peoples desktops.
Now add remote work to that, and you’ve built a compliance fiction: everything appears in order, because the grey app and it's inherent year 2000 security view point is just invisible, until it isn’t of course. As an aside I have sensed in the recent past that I might have been in too many wars, even I'm bored with the 'I told you so's', it literally gives me no pleasure, it is in fact starting to irk :)
Industrial Inertia, Security Naivety
“If it isn’t broken, don’t patch it” that became gospel. Most legacy tech vendors still operate with a pre-cyber mindset. They don’t pen-test their binaries. They don’t red-team their update mechanisms. They rarely, if ever, publish coordinated vulnerability disclosures, mainly because;
Security isn’t part of the DNA of a terminal emulator, it’s a footnote, an afterthought at best. And when you look at the public record, you’ll see just how little scrutiny these products have faced over the last nearly 20 years.
The Sparse CVE Record (Common Vulnerabilities & Exposures)
IBM Personal Communications (PCOMM) CVE-2024-25029 (2024) SYSTEM-level escalation via unprotected Windows service
IBM iAccess Client Solutions (ACS) CVE-2024-22318 (2024) NTLM credential theft via malicious UNC path
HostExplorer (Hummingbird / OpenText) CVE-2008-4729 (2008) ActiveX buffer overflow → remote code execution
Ericom PowerTerm WebConnect CVE-2022-29152 (2022) Stored XSS vulnerability in login portal
Micro Focus / Attachmate Reflection No public CVE recorded and no CVEs ≠ safe; it usually means no one’s looked
I'll give you a comparison, a mainstream desktop app like Microsoft Outlook gets 100+ security vulnerabilities catalogued and patched each year, whereas a terminal emulator like Reflections, Powerterm or HostExplorer might go a decade without a single declared CVE fix, some embedded connection libraries around the edges (like OpenSSL or TLS) get updated quietly, but no one ever want's to scan the app itself, coz 'there be dragons' and for these old school apps, the dragon slayers have all retired.
The Real Cost of Complacency
Recent UK breaches underline the price tag of soft endpoints and soft policies:
- Marks & Spencer – a minimum of £300M hit to operating profit.
- Co-op Group – £206M total loss, £80M operational impact.
- Harrods – 430K customer records exposed.
- Jaguar Land Rover – Analysts estimate $1.2–1.9B total exposure with govenment bail outs of the JLR's value chain.
IBM’s average Cost per Data Breach in their 2025 report pegs the average at $4.44M globally, $10.22M in the U.S. Retail and industrial breaches run far higher. The weakest link isn’t the datacentre anymore it’s the endpoint connective tissue.
The Modern Contrast
With Flynet's Jubilant Terminal Emulation, we began with the assumption that the castle wall had gone. That Every endpoint, every session, every user is treated as potentially hostile.
Pen-testing is the 'resident in chief' of our testing pipeline, continuous, not annual. Zero-trust session brokering isolate, authenticate, expire. Full telemetry, every command and macro auditable and encrypted. Hardened runtime, built on Microsoft IIS, protected by 10,000+ Microsoft security engineers guarding against new and known threats. Continuous patching, with security as a living discipline.
Net Net = No More Plausible Deniability
In 2025 terminal emulation should be a zero trust native asset that builds a hardened shell around core system access, not something that guilds open doors with invites to the land of milk and honey.
The absence of CVEs (Common Vulnerabilities & Exposures) from Terminal Emulator vendors is not evidence of safety. It’s evidence of complacency, inertia, ignorance and just keep milking the cow whilst the sun still shines mentality.
Legacy emulators still sit on millions of endpoints, trusted, silent, and exploitable, whilst the old castle wall has been stretched to breaking across homes, cafés, and airports. The cost of ignoring this reality is already visible in this year’s balance sheets.
It's getting too expensive to get this wrong and someone has to be fired, what you don't hear about or want to think about, is what did happen to the IT management staff at Harrods, M&S, Co-Op, JLR, I can tell you this disseminated, yes disseminated. When an organisation loses that much money, someone....a lot of someones, have to pay the piper, all that fiscal frugality you thought was so good for the organisation, when you sat in the chair, thinking I will be as sparing with the company purse as I am with my food shop, just wrong thinking.
You are often making judgements based on near field pressures and ill informed senior management. In future literally point to any of the aforementioned organisations and say that's the cost of getting this wrong, if you use terminal emulation in your organisation, ask was it built in this decade, if the answer is no GET A NEW ONE.
authored by Christian Rule - Flynet's Director of Business Transformation