CVE-2026-11879: Arbitrary code execution in MobaXterm Personal Edition (Portable)

Synopsis

This is a DLL search-order hijacking vulnerability in MobaXterm Personal Edition (Portable) version 26.3. The application loads DLLs from a predictable, user-writable temporary directory at startup before checking secure system paths, meaning a local attacker with a low-privilege account can plant a malicious DLL that runs automatically when any user on the same host launches the application. Successful exploitation gives the attacker full code execution in the context of the launching user, enabling complete read, write, and control of that user's resources. A patched-image rebuild at version 26.4 is available on HarborGuard for environments running an affected version.

HarborGuard Coverage

Exploit Conditions

• Network reachabilityNot required

  The attacker needs an existing shell or process on the host; no network access to the target system is required.

• AuthenticationRequired

  Any low-privilege local account is sufficient; the attacker does not need administrative rights to write to the predictable temporary directory.

• Victim interactionNot required

  No victim interaction beyond the target user's normal launch of MobaXterm is required; the malicious DLL executes automatically on startup.

• Attack complexityDetail

  The exploit is reliable and condition-free; the temporary directory path is predictable and no race condition or special memory layout is needed.

Blast Radius

• Reads files and secrets accessible to the launching user, including SSH keys, session credentials, and any data in the user's profile.
• Writes or modifies files under the launching user's permissions, including stored session configurations and local application data.
• Executes arbitrary code persistently in the user's session, enabling installation of backdoors or lateral movement tools.
• Crashes or manipulates the MobaXterm process itself, disrupting terminal and tunneling sessions the user depends on.