CVE-2026-11967

Vulnerability

MobaXterm Personal Edition (Portable) version 26.3 (Build 5154) automatically loads the winspool.drv library from the same directory as the portable executable during startup, bypassing secure system search paths. This behavior constitutes a DLL hijacking vulnerability (CWE-427) that allows an attacker to execute arbitrary code by placing a malicious DLL in that directory. The affected version is explicitly 26.3 (Build 5154) as confirmed in the advisory [1].

Exploitation

An attacker with local access (low privileges) can place a specially crafted winspool.drv DLL in the same directory as the MobaXterm portable executable. No additional user interaction is required beyond the victim launching the application. Upon startup, MobaXterm loads the malicious DLL, executing the attacker's code with the victim's privileges [1].

Impact

Successful exploitation results in arbitrary code execution in the context of the user running MobaXterm. The attacker gains high confidentiality, high integrity, and high availability (CVSS v4.0 base score 8.5). This can lead to full compromise of the user's data, credentials, and system [1].

Mitigation

Mobatek has fixed the vulnerability in version 26.4. Users are strongly advised to upgrade to the latest version. No workarounds are provided in the advisory. The vulnerability is not listed on the CISA KEV as of publication [1].