Skip to main content

MobaXterm CVE-2026-25866

HIGH
Unquoted Search Path or Element (CWE-428)
2026-03-09 disclosure@vulncheck.com
8.5
CVSS 4.0 · NVD
Share

Severity by source

NVD PRIMARY
8.5 HIGH
CVSS:4.0/AV:L/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X

Primary rating from NVD · only source for this CVE.

CVSS VectorNVD

CVSS:4.0/AV:L/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Attack Vector
Local
Attack Complexity
Low
Privileges Required
Low
User Interaction
None
Scope
X

Lifecycle Timeline

5
Analysis Updated
May 06, 2026 - 14:43 vuln.today
v2 (cvss_changed)
Re-analysis Queued
May 06, 2026 - 14:37 vuln.today
cvss_changed
CVSS changed
May 06, 2026 - 14:37 NVD
7.8 (HIGH) 8.5 (HIGH)
Analysis Generated
Mar 12, 2026 - 21:56 vuln.today
CVE Published
Mar 09, 2026 - 16:16 nvd
HIGH 7.8

DescriptionCVE.org

MobaXterm versions prior to 26.1 contain an uncontrolled search path element vulnerability. The application calls WinExec to execute Notepad++ without a fully qualified executable path when opening remote files. An attacker can exploit the search path behavior by placing a malicious executable earlier in the search order, resulting in arbitrary code execution in the context of the affected user.

AnalysisAI

Local privilege escalation in MobaXterm before 26.1 allows authenticated users with file system write access to execute arbitrary code by DLL hijacking the Notepad++ launch process. When opening remote files, MobaXterm calls WinExec without a fully qualified path, enabling attackers to place malicious executables in the search path to achieve code execution in the victim user's context. EPSS score of 0.01% (2nd percentile) indicates low probability of imminent widespread exploitation, consistent with the local attack vector requiring pre-existing system access. No active exploitation confirmed in CISA KEV; public exploit code status unknown.

Technical ContextAI

This is a classic uncontrolled search path element (CWE-428) vulnerability, commonly called DLL hijacking or binary planting. The issue stems from MobaXterm's use of the Windows WinExec API to launch Notepad++ without specifying an absolute path. Windows DLL/executable search order prioritizes certain directories (current directory, application directory, System32, Windows directory, then PATH environment variable). The CVSS 4.0 vector indicates local attack (AV:L) with low complexity (AC:L) requiring low privileges (PR:L). The affected product CPE identifies MobaXterm Home Edition across all versions prior to 26.1. MobaXterm is a popular Windows terminal emulator and SSH client used extensively in enterprise environments for remote system administration, making it an attractive target for lateral movement scenarios where an attacker already has limited system access.

RemediationAI

Upgrade to MobaXterm version 26.1 or later, available from the vendor download page at https://mobaxterm.mobatek.net/download-home-edition.html. The vendor has addressed the uncontrolled search path issue in version 26.1 by implementing fully qualified executable paths when launching external applications. Until patching is complete, implement defense-in-depth controls: restrict file system write permissions on directories in the Windows search path (particularly the current directory and application directory) to prevent unauthorized users from planting malicious executables, noting this may impact legitimate workflows requiring file creation in these locations. Apply application whitelisting or endpoint detection and response (EDR) solutions to detect suspicious process creation chains involving MobaXterm and unexpected child processes. Limit MobaXterm usage to standard user accounts rather than privileged accounts where possible, reducing the impact of successful exploitation. For air-gapped or change-controlled environments where immediate patching is not feasible, consider temporarily replacing MobaXterm with alternative SSH/terminal clients until the upgrade maintenance window, accepting the operational disruption this may cause. Review VulnCheck advisory at https://www.vulncheck.com/advisories/mobaxterm-notepad-unquoted-service-path for additional technical details.

Share

CVE-2026-25866 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy