CVE-2026-25866
📋 TL;DR
MobaXterm versions before 26.1 contain a path search order vulnerability where the application executes Notepad++ without specifying the full executable path. This allows attackers to place malicious executables in directories searched before the legitimate Notepad++ installation, leading to arbitrary code execution as the current user. All users running vulnerable MobaXterm versions on Windows are affected.
💻 Affected Systems
- MobaXterm
⚠️ Manual Verification Required
This CVE does not have specific version information in our database, so automatic vulnerability detection cannot determine if your system is affected.
Why? The CVE database entry doesn't specify which versions are vulnerable (no version ranges provided by the vendor/NVD).
🔒 Custom verification scripts are available for registered users. Sign up free to download automated test scripts.
- Review the CVE details at NVD
- Check vendor security advisories for your specific version
- Test if the vulnerability is exploitable in your environment
- Consider updating to the latest version as a precaution
⚠️ Risk & Real-World Impact
Worst Case
Full system compromise via arbitrary code execution with user privileges, potentially leading to privilege escalation, data theft, or ransomware deployment.
Likely Case
Local attacker gains code execution in user context, enabling credential theft, lateral movement, or persistence establishment.
If Mitigated
Limited impact with proper application whitelisting, restricted user permissions, and controlled directory permissions.
🎯 Exploit Status
Exploitation requires local access or ability to place files in search path directories.
🛠️ Fix & Mitigation
✅ Official Fix
Patch Version: 26.1 and later
Vendor Advisory: https://mobaxterm.mobatek.net/download-home-edition.html
Restart Required: Yes
Instructions:
1. Download MobaXterm version 26.1 or newer from official website. 2. Install over existing version. 3. Restart system or at least MobaXterm application.
🔧 Temporary Workarounds
Restrict write permissions to search path directories
windowsPrevent attackers from placing malicious executables in directories searched before Notepad++ installation.
icacls "C:\Windows" /deny Everyone:(OI)(CI)W
icacls "C:\Windows\System32" /deny Everyone:(OI)(CI)W
icacls "%USERPROFILE%" /deny Everyone:(OI)(CI)W
Create Notepad++ placeholder executable
windowsPlace a legitimate notepad++.exe in a directory that appears earlier in search order than attacker-controlled locations.
copy "C:\Program Files\Notepad++\notepad++.exe" "C:\Windows\notepad++.exe"
🧯 If You Can't Patch
- Implement application control/whitelisting to prevent execution of unauthorized binaries.
- Use least privilege accounts and restrict write access to system and user directories.
🔍 How to Verify
Check if Vulnerable:
Check MobaXterm version in Help > About. If version is below 26.1, system is vulnerable.Check Version:
wmic product where "name like 'MobaXterm%'" get versionVerify Fix Applied:
Confirm MobaXterm version is 26.1 or higher in Help > About dialog.📡 Detection & Monitoring
Log Indicators:
- Process creation events for notepad++.exe from unexpected locations
- MobaXterm spawning unexpected child processes
Network Indicators:
- Unusual outbound connections following MobaXterm execution
SIEM Query:
Process Creation: (ImagePath contains "notepad++.exe" AND ParentImage contains "MobaXterm")