CVE-2026-25866
Published: 09 March 2026
Summary
CVE-2026-25866 is a high-severity Unquoted Search Path or Element (CWE-428) vulnerability in Mobatek Mobaxterm. Its CVSS base score is 7.8 (High).
Operationally, exploitation aligns with the MITRE ATT&CK technique Path Interception by Search Order Hijacking (T1574.008); ranked at the 4.1th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog; a public proof-of-concept is referenced.
The strongest mitigations our analysis identified are NIST 800-53 CM-10 (Software Usage Restrictions) and SI-2 (Flaw Remediation).
Threat & Defense at a Glance
Threat & Defense Details
Mitigating Controls (NIST 800-53 r5)AI
Directly mitigates the vulnerability by requiring timely remediation through updating MobaXterm to version 26.1, which fixes the uncontrolled search path issue.
Restricts execution to only approved software, preventing malicious executables like a trojanized notepad++.exe from running despite search path hijacking.
Deploys malicious code protection to scan and eradicate trojanized executables placed in the search path when MobaXterm attempts to launch Notepad++.
MITRE ATT&CK Enterprise TechniquesAI
Why these techniques?
The uncontrolled search path (CWE-428) when invoking WinExec for notepad++.exe directly enables an attacker to intercept execution by placing a malicious executable earlier in the search order (CWD or preceding PATH entries), matching T1574.008 Path Interception by Search Order Hijacking.
NVD Description
MobaXterm versions prior to 26.1 contain an uncontrolled search path element vulnerability. The application calls WinExec to execute Notepad++ without a fully qualified executable path when opening remote files. An attacker can exploit the search path behavior by placing a…
more
malicious executable earlier in the search order, resulting in arbitrary code execution in the context of the affected user.
Deeper analysisAI
CVE-2026-25866 is an uncontrolled search path element vulnerability (CWE-428) in MobaXterm versions prior to 26.1. The issue arises when the application calls WinExec to execute Notepad++ without specifying a fully qualified executable path during the opening of remote files. This exposes the software to Windows search path hijacking, where the system prioritizes executable locations in a predictable order.
A local attacker with low privileges can exploit this by placing a malicious executable, such as a trojanized notepad++.exe, earlier in the search path—typically in the current working directory or a directory preceding the legitimate Notepad++ installation in the system's PATH environment variable. Successful exploitation results in arbitrary code execution in the context of the affected user, with a CVSS v3.1 base score of 7.8 (AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H).
Advisories recommend updating to MobaXterm version 26.1 or later, available via the official download page at https://mobaxterm.mobatek.net/download-home-edition.html. Further technical details on the vulnerability are outlined in the VulnCheck advisory at https://www.vulncheck.com/advisories/mobaxterm-notepad-unquoted-service-path.
Details
- CWE(s)