HarborGuardharborguardDatabase
Back to search
HIGHCVE-2026-11967Published Modified CNA INCIBE

CVE-2026-11967: Arbitrary code execution in MobaXterm Personal Edition (Portable)

MobaXterm Personal Edition (Portable), in its 26.3 version (Build 5154), allows arbitrary code execution by loading a malicious DLL located in the same directory as the portable executable. Because the application automatically loads the winspool.drv library from that location during startup, an attacker with local access can place a specially crafted DLL alongside the executable to be executed when the victim launches the application.

Metrics

CVSS v4.0
8.5
Severity
HIGH
Fixed in
26.4
Affected Products
1

Get notified

Email me when this CVE is updated: new fix versions, severity changes, or any record change.

HarborGuard Analysis

Synopsis

This is a DLL hijacking vulnerability in MobaXterm Personal Edition (Portable) version 26.3 (Build 5154). Because the application loads the winspool.drv library from its own directory at startup without verifying the library's authenticity, a local attacker can drop a malicious DLL with that name into the same folder as the portable executable. When a user then launches MobaXterm, the attacker's code runs under that user's privileges, enabling full arbitrary code execution. A patched-image rebuild at version 26.4 is available on HarborGuard for environments running the affected version.

HarborGuard Coverage

Detection

Detection of CVE-2026-11967 is available across every HarborGuard environment: the CVE is ingested from upstream feeds within minutes of publication and matched against container images in customer registries and CI/CD pipelines, including custom-built images that bundle the MobaXterm portable executable.

Available
Triage

HarborGuard is capable of scoring this CVE at CVSS 8.5 (High) and weighting that score against each customer environment's compliance policy to surface the finding in the appropriate team inbox, prioritized alongside other high-severity issues in that environment.

Available
Patch

A patched-image rebuild at MobaXterm version 26.4 becomes available on HarborGuard for any environment found running the affected 26.3 build. For customers who opt into auto-remediation, HarborGuard can trigger a rebuild, run a regression test suite against the new image, and open a pull request against affected workloads automatically.

Available

Exploit Conditions

  • Network reachabilityNot required

    The attacker needs an existing shell or process on the host; no network path to the target is required.

  • AuthenticationRequired

    A low-privilege local account is sufficient; the attacker only needs enough access to write a file into the directory containing the portable executable.

  • Victim interactionRequired

    The victim must launch the MobaXterm application after the malicious DLL has been placed in the executable's directory, making this a social-engineering or opportunistic local vector.

  • Attack complexityDetail

    Attack complexity is low; placing the correctly named DLL alongside the executable is the only precondition, with no race conditions or special environmental factors required.

Blast Radius

  • The attacker's DLL executes arbitrary code in the context of the user who launches MobaXterm, giving full read access to that user's files, credentials, and stored SSH/RDP session data.
  • The attacker can write or modify files accessible to the victim user, including MobaXterm session configurations, SSH keys, and any data in directories the user owns.
  • Running processes owned by the victim user can be tampered with or terminated, and the attacker can install persistent payloads such as scheduled tasks or startup entries under that user account.

How HarborGuard Handles This

Available on HarborGuard: any image found bundling MobaXterm Personal Edition (Portable) 26.3 is flagged at High severity and a rebuild against the fixed version 26.4 is made available. For customers who opt into auto-remediation, HarborGuard can execute the rebuild, run a regression test suite, and open a pull request against affected workloads; for High-severity issues, the median time from CVE publication to a merged patch PR is around 90 minutes in environments with auto-remediation enabled. Where compliance policy requires manual approval, the finding is routed to the designated team inbox with full CVSS context and remediation guidance. Because this vulnerability requires write access to the executable's directory, teams that cannot immediately upgrade should consider restricting write permissions on the directory containing the MobaXterm portable binary as a compensating control until the rebuilt image is promoted.

See how HarborGuard automates this

Fix available

26.4
Patch commits
Affected packages
  • Mobatek / MobaXterm Personal Edition (Portable)
    26.3
    Fixed in 26.4
CVSS Vector
CVSS:4.0/AV:L/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N
References