Skip to main content

MobaXterm Portable EUVDEUVD-2026-36426

| CVE-2026-11967 HIGH
Uncontrolled Search Path Element (CWE-427)
2026-06-12 INCIBE GHSA-cjv2-pc8w-rjfq
8.5
CVSS 4.0 · Vendor: INCIBE
Share

Severity by source

Vendor (INCIBE) PRIMARY
8.5 HIGH
CVSS:4.0/AV:L/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
vuln.today AI
7.3 HIGH

Local DLL plant (AV:L) is trivial once write access exists (AC:L, PR:L), but the victim must launch the application (UI:R); successful load yields full C/I/A in the user's context with no scope change.

3.1 AV:L/AC:L/PR:L/UI:R/S:U/C:H/I:H/A:H
4.0 AV:L/AC:L/AT:N/PR:L/UI:P/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N

Primary rating from Vendor (INCIBE).

CVSS VectorVendor: INCIBE

CVSS:4.0/AV:L/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Attack Vector
Local
Attack Complexity
Low
Privileges Required
Low
User Interaction
None
Scope
X

Lifecycle Timeline

1
Analysis Generated
Jun 12, 2026 - 14:21 vuln.today

DescriptionCVE.org

MobaXterm Personal Edition (Portable), in its 26.3 version (Build 5154), allows arbitrary code execution by loading a malicious DLL located in the same directory as the portable executable. Because the application automatically loads the winspool.drv library from that location during startup, an attacker with local access can place a specially crafted DLL alongside the executable to be executed when the victim launches the application.

AnalysisAI

Arbitrary code execution in MobaXterm Personal Edition (Portable) version 26.3 Build 5154 occurs because the application loads winspool.drv from its working directory at startup, enabling classic DLL search-order hijacking. A local attacker who can write to the directory containing the portable executable can drop a malicious winspool.drv that executes in the victim's user context the next time MobaXterm is launched. No public exploit identified at time of analysis, and EPSS data was not provided, but the trivial nature of DLL planting makes weaponization straightforward.

Technical ContextAI

The vulnerability is a textbook instance of CWE-427 (Uncontrolled Search Path Element), specifically DLL search-order hijacking on Windows. MobaXterm Portable, identified by CPE cpe:2.3:a:mobatek:mobaxterm_personal_edition_(portable):*, dynamically loads winspool.drv (the Windows print spooler client library) without specifying a fully qualified path or using SetDefaultDllDirectories/LOAD_LIBRARY_SEARCH_SYSTEM32 hardening flags. Because the executable's own directory precedes System32 in the default Windows DLL search order for non-KnownDLLs, any DLL with that name placed beside MobaXterm.exe is loaded and its DllMain executed in-process under the launching user's privileges. Portable applications are particularly exposed because users routinely run them from USB drives, Downloads folders, or shared network paths where write permissions are loose.

RemediationAI

Patch available per vendor advisory: upgrade MobaXterm Personal Edition (Portable) to the fixed build referenced in the INCIBE notice at https://www.incibe.es/en/incibe-cert/notices/aviso/multiple-vulnerabilities-mobateks-mobaxterm-personal-edition-portable, and confirm the exact patched build directly with Mobatek before deploying. As compensating controls until patching, store MobaXterm.exe only in directories where standard users lack write permissions (e.g., a read-only network share or a Program Files subdirectory with locked ACLs) which prevents the planted-DLL precondition at the cost of losing some portability convenience; block execution of MobaXterm from user-writable paths such as Downloads, Desktop, and removable media via AppLocker or WDAC path rules, accepting the administrative overhead of maintaining those rules; and monitor for unexpected winspool.drv files appearing outside %SystemRoot%\System32 using EDR file-creation telemetry, which is high-fidelity since legitimate winspool.drv should only ever reside in System32.

Share

EUVD-2026-36426 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy