MobaXterm
CVE-2026-25866
HIGH
Severity by source
CVSS:4.0/AV:L/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Primary rating from NVD · only source for this CVE.
CVSS VectorNVD
CVSS:4.0/AV:L/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Lifecycle Timeline
5DescriptionCVE.org
MobaXterm versions prior to 26.1 contain an uncontrolled search path element vulnerability. The application calls WinExec to execute Notepad++ without a fully qualified executable path when opening remote files. An attacker can exploit the search path behavior by placing a malicious executable earlier in the search order, resulting in arbitrary code execution in the context of the affected user.
AnalysisAI
Local privilege escalation in MobaXterm before 26.1 allows authenticated users with file system write access to execute arbitrary code by DLL hijacking the Notepad++ launch process. When opening remote files, MobaXterm calls WinExec without a fully qualified path, enabling attackers to place malicious executables in the search path to achieve code execution in the victim user's context. EPSS score of 0.01% (2nd percentile) indicates low probability of imminent widespread exploitation, consistent with the local attack vector requiring pre-existing system access. No active exploitation confirmed in CISA KEV; public exploit code status unknown.
Technical ContextAI
This is a classic uncontrolled search path element (CWE-428) vulnerability, commonly called DLL hijacking or binary planting. The issue stems from MobaXterm's use of the Windows WinExec API to launch Notepad++ without specifying an absolute path. Windows DLL/executable search order prioritizes certain directories (current directory, application directory, System32, Windows directory, then PATH environment variable). The CVSS 4.0 vector indicates local attack (AV:L) with low complexity (AC:L) requiring low privileges (PR:L). The affected product CPE identifies MobaXterm Home Edition across all versions prior to 26.1. MobaXterm is a popular Windows terminal emulator and SSH client used extensively in enterprise environments for remote system administration, making it an attractive target for lateral movement scenarios where an attacker already has limited system access.
RemediationAI
Upgrade to MobaXterm version 26.1 or later, available from the vendor download page at https://mobaxterm.mobatek.net/download-home-edition.html. The vendor has addressed the uncontrolled search path issue in version 26.1 by implementing fully qualified executable paths when launching external applications. Until patching is complete, implement defense-in-depth controls: restrict file system write permissions on directories in the Windows search path (particularly the current directory and application directory) to prevent unauthorized users from planting malicious executables, noting this may impact legitimate workflows requiring file creation in these locations. Apply application whitelisting or endpoint detection and response (EDR) solutions to detect suspicious process creation chains involving MobaXterm and unexpected child processes. Limit MobaXterm usage to standard user accounts rather than privileged accounts where possible, reducing the impact of successful exploitation. For air-gapped or change-controlled environments where immediate patching is not feasible, consider temporarily replacing MobaXterm with alternative SSH/terminal clients until the upgrade maintenance window, accepting the operational disruption this may cause. Review VulnCheck advisory at https://www.vulncheck.com/advisories/mobaxterm-notepad-unquoted-service-path for additional technical details.
The TELNET service in Mobatek MobaXterm 10.4 does not require authentication, which allows remote attackers to execute a
In MobaTek MobaXterm Personal Edition v11.1 Build 3860, the SSH private key and its password can be retrieved from proce
In MobaXterm 11.1 and 12.1, the protocol handler is vulnerable to command injection. Rated high severity (CVSS 8.8), thi
In MobaXterm 11.1, the mobaxterm: URI handler has an argument injection vulnerability that allows remote attackers to ex
Directory traversal vulnerability in the TFTP server in MobaXterm Personal Edition 9.4 allows remote attackers to read a
An access control issue in MobaXterm before v22.1 allows attackers to make connections to the server via the SSH or SFTP
When aborting a SFTP connection, MobaXterm before v22.1 sends a hardcoded password to the server. Rated critical severit
The default configuration of the server in MobaXterm before 8.3 has a disabled Access Control setting and consequently d
MobaXterm before 21.0 allows remote servers to cause a denial of service (Windows GUI hang) via tab title change request
Same weakness CWE-428 – Unquoted Search Path or Element
View allShare
External POC / Exploit Code
Leaving vuln.today