iTerm2 has been updated to fix a critical security issue that survived undisclosed for at least seven years. Attackers can achieve remote command execution on systems with a vulnerable version when the application is used to connect to a malicious source. The vulnerability was discovered following a security audit sponsored by the Mozilla Open Source Support (MOSS) program. Users are encouraged to update to version 3.3.6 or 3.7.7beta1 version. Mozilla published a proof-of-concept video showing how connecting to malicious SSH server resulted in running an arbitrary command.
Source: https://www.bleepingcomputer.com/news/security/iterm2-patches-critical-vulnerability-active-for-7-years/