Severity by source
CVSS:4.0/AV:L/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Local write access as a low-priv user (AV:L/PR:L), reliable DLL planting (AC:L), but execution waits for the victim to launch MobaXterm (UI:R); full C/I/A in victim's context, no scope change.
Primary rating from Vendor (INCIBE).
CVSS VectorVendor: INCIBE
CVSS:4.0/AV:L/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Lifecycle Timeline
1DescriptionCVE.org
MobaXterm Personal Edition (Portable), in its 26.3 version (Build 5154), allows arbitrary code execution by loading malicious DLLs from a temporary directory that is predictable and can be modified by the user. During startup, the application searches for specific DLLs in this location before resorting to the system’s secure paths, enabling an attacker with local access to place a specially crafted DLL to be executed automatically when the victim launches the application.
AnalysisAI
Arbitrary code execution in MobaXterm Personal Edition (Portable) 26.3 Build 5154 occurs because the application loads DLLs from a predictable, user-writable temporary directory before falling back to secure system paths. A local attacker who can drop a crafted DLL into that path achieves code execution under the victim's account when MobaXterm is next launched. No public exploit identified at time of analysis, and the issue is not on CISA KEV.
Technical ContextAI
The flaw is a CWE-427 Uncontrolled Search Path Element (DLL search-order/sideloading) issue. MobaXterm Portable, distributed as a single self-contained executable for SSH/X11/RDP sessions, unpacks supporting DLLs into a temporary working directory at startup. Because that directory location is deterministic and writable by the running user, Windows' LoadLibrary resolves the planted DLL ahead of the genuine ones in System32, allowing the attacker's code to be mapped into the trusted process. The affected product per CPE is cpe:2.3:a:mobatek:mobaxterm_personal_edition_(portable), specifically the 26.3 (Build 5154) release of the portable variant; the installed edition is not referenced in the CPE.
RemediationAI
Patch available per vendor advisory: upgrade MobaXterm Personal Edition (Portable) to the fixed build referenced in the INCIBE-CERT advisory at https://www.incibe.es/en/incibe-cert/notices/aviso/multiple-vulnerabilities-mobateks-mobaxterm-personal-edition-portable; an exact fixed version is not independently confirmed in the supplied data, so verify against Mobatek's release notes before deployment. Until patched, run MobaXterm Portable only from a per-user directory that no other account can write to, redirect its temporary unpack directory (MOBANOAUTOUPDATE / TEMP override) to an ACL-restricted path, and block execution from world-writable locations using AppLocker or WDAC rules - accepting that those rules may also break other portable tooling. On multi-user or jump hosts, prefer the installed edition under Program Files where standard users cannot write, or remove the portable build entirely.
Same weakness CWE-427 – Uncontrolled Search Path Element
View allShare
External POC / Exploit Code
Leaving vuln.today
EUVD-2026-36425
GHSA-9626-78xh-92cx