CVE-2026-25866

MobaXterm versions prior to 26.1 contain an uncontrolled search path element vulnerability. The application calls WinExec to execute Notepad++ without a fully qualified executable path when opening remote files. An attacker can exploit the search path behavior by placing a malicious executable earlier in the search order, resulting in arbitrary code execution in the context of the affected user.

CVSS v3 7.8 HIGH

7.8^/10

CVSS v3 : HIGH

Vector :

Exploitability : 1.8 / Impact : 5.9

Attack Vector LOCAL

Attack Complexity LOW

Privileges Required LOW

User Interaction NONE

Confidentiality Impact HIGH

Integrity Impact HIGH

Availability Impact HIGH

Scope UNCHANGED

References

Link	Resource
https://mobaxterm.mobatek.net/download-home-edition.html	Vendor Advisory
https://www.vulncheck.com/advisories/mobaxterm-notepad-unquoted-service-path	Third Party Advisory

Configurations

Configuration 1 (hide)

cpe:2.3:a:mobatek:mobaxterm:*:*:*:*:home:*:*:*

History

06 May 2026, 14:23

Type	Values Removed	Values Added
First Time		Mobatek Mobatek mobaxterm
References	~~() https://mobaxterm.mobatek.net/download-home-edition.html -~~	() https://mobaxterm.mobatek.net/download-home-edition.html - Vendor Advisory
References	~~() https://www.vulncheck.com/advisories/mobaxterm-notepad-unquoted-service-path -~~	() https://www.vulncheck.com/advisories/mobaxterm-notepad-unquoted-service-path - Third Party Advisory
CPE		cpe:2.3:a:mobatek:mobaxterm:::::home:::*

11 Mar 2026, 13:53

Type	Values Removed	Values Added
Summary		(es) Las versiones de MobaXterm anteriores a la 26.1 contienen una vulnerabilidad de elemento de ruta de búsqueda descontrolada. La aplicación llama a WinExec para ejecutar Notepad++ sin una ruta de ejecutable completamente calificada al abrir archivos remotos. Un atacante puede explotar el comportamiento de la ruta de búsqueda al colocar un ejecutable malicioso antes en el orden de búsqueda, lo que resulta en ejecución de código arbitrario en el contexto del usuario afectado.

09 Mar 2026, 16:16

Type	Values Removed	Values Added
New CVE

Information

Published : 2026-03-09 16:16

Updated : 2026-05-06 14:23

NVD link : CVE-2026-25866

Mitre link : CVE-2026-25866

CVE.ORG link : CVE-2026-25866

JSON object : View

Products Affected

mobatek

mobaxterm

CWE

CWE-428

Unquoted Search Path or Element

{"id": "CVE-2026-25866", "cveTags": [], "metrics": {"cvssMetricV31": [{"type": "Primary", "source": "disclosure@vulncheck.com", "cvssData": {"scope": "UNCHANGED", "version": "3.1", "baseScore": 7.8, "attackVector": "LOCAL", "baseSeverity": "HIGH", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H", "integrityImpact": "HIGH", "userInteraction": "NONE", "attackComplexity": "LOW", "availabilityImpact": "HIGH", "privilegesRequired": "LOW", "confidentialityImpact": "HIGH"}, "impactScore": 5.9, "exploitabilityScore": 1.8}], "cvssMetricV40": [{"type": "Secondary", "source": "disclosure@vulncheck.com", "cvssData": {"Safety": "NOT_DEFINED", "version": "4.0", "Recovery": "NOT_DEFINED", "baseScore": 8.5, "Automatable": "NOT_DEFINED", "attackVector": "LOCAL", "baseSeverity": "HIGH", "valueDensity": "NOT_DEFINED", "vectorString": "CVSS:4.0/AV:L/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X", "exploitMaturity": "NOT_DEFINED", "providerUrgency": "NOT_DEFINED", "userInteraction": "NONE", "attackComplexity": "LOW", "attackRequirements": "NONE", "privilegesRequired": "LOW", "subIntegrityImpact": "NONE", "vulnIntegrityImpact": "HIGH", "integrityRequirement": "NOT_DEFINED", "modifiedAttackVector": "NOT_DEFINED", "subAvailabilityImpact": "NONE", "vulnAvailabilityImpact": "HIGH", "availabilityRequirement": "NOT_DEFINED", "modifiedUserInteraction": "NOT_DEFINED", "modifiedAttackComplexity": "NOT_DEFINED", "subConfidentialityImpact": "NONE", "vulnConfidentialityImpact": "HIGH", "confidentialityRequirement": "NOT_DEFINED", "modifiedAttackRequirements": "NOT_DEFINED", "modifiedPrivilegesRequired": "NOT_DEFINED", "modifiedSubIntegrityImpact": "NOT_DEFINED", "modifiedVulnIntegrityImpact": "NOT_DEFINED", "vulnerabilityResponseEffort": "NOT_DEFINED", "modifiedSubAvailabilityImpact": "NOT_DEFINED", "modifiedVulnAvailabilityImpact": "NOT_DEFINED", "modifiedSubConfidentialityImpact": "NOT_DEFINED", "modifiedVulnConfidentialityImpact": "NOT_DEFINED"}}]}, "published": "2026-03-09T16:16:18.970", "references": [{"url": "https://mobaxterm.mobatek.net/download-home-edition.html", "tags": ["Vendor Advisory"], "source": "disclosure@vulncheck.com"}, {"url": "https://www.vulncheck.com/advisories/mobaxterm-notepad-unquoted-service-path", "tags": ["Third Party Advisory"], "source": "disclosure@vulncheck.com"}], "vulnStatus": "Analyzed", "weaknesses": [{"type": "Primary", "source": "disclosure@vulncheck.com", "description": [{"lang": "en", "value": "CWE-428"}]}], "descriptions": [{"lang": "en", "value": "MobaXterm versions prior to 26.1 contain an uncontrolled search path element vulnerability. The application calls WinExec to execute Notepad++ without a fully qualified executable path when opening remote files. An attacker can exploit the search path behavior by placing a malicious executable earlier in the search order, resulting in arbitrary code execution in the context of the affected user."}, {"lang": "es", "value": "Las versiones de MobaXterm anteriores a la 26.1 contienen una vulnerabilidad de elemento de ruta de b\u00fasqueda descontrolada. La aplicaci\u00f3n llama a WinExec para ejecutar Notepad++ sin una ruta de ejecutable completamente calificada al abrir archivos remotos. Un atacante puede explotar el comportamiento de la ruta de b\u00fasqueda al colocar un ejecutable malicioso antes en el orden de b\u00fasqueda, lo que resulta en ejecuci\u00f3n de c\u00f3digo arbitrario en el contexto del usuario afectado."}], "lastModified": "2026-05-06T14:23:35.850", "configurations": [{"nodes": [{"negate": false, "cpeMatch": [{"criteria": "cpe:2.3:a:mobatek:mobaxterm:*:*:*:*:home:*:*:*", "vulnerable": true, "matchCriteriaId": "BADFA52B-4659-4447-8B67-B21BD019FB2F", "versionEndExcluding": "26.1"}], "operator": "OR"}]}], "sourceIdentifier": "disclosure@vulncheck.com"}