Mobatek MobaXterm Home Edition Uncontrolled Search Path Vulnerability (CVE-2026-6421)

Mobatek MobaXterm Home Edition up to version 26.1 is vulnerable to an uncontrolled search path issue (CVE-2026-6421) within the msimg32.dll library. This vulnerability allows a local attacker to manipulate the search path used by the application, potentially leading to arbitrary code execution. The complexity of exploitation is considered high, and it requires local access to the system. The vendor was responsive and released version 26.2 to address the vulnerability, urging users to upgrade. Public exploits are available, increasing the urgency for remediation. This vulnerability matters to defenders because successful exploitation could lead to privilege escalation or the execution of malicious code within the context of the MobaXterm application.

Attack Chain

1. The attacker gains local access to a system with a vulnerable version (<= 26.1) of MobaXterm Home Edition installed.
2. The attacker crafts a malicious DLL file (e.g., a replacement msimg32.dll or another DLL that msimg32.dll might load).
3. The attacker places the malicious DLL in a directory that MobaXterm searches before the legitimate system directories.
4. The attacker executes MobaXterm.
5. When MobaXterm loads msimg32.dll, it loads the malicious DLL from the attacker-controlled directory instead of the legitimate system directory due to the uncontrolled search path.
6. The malicious DLL executes arbitrary code within the context of the MobaXterm process.
7. The attacker leverages the executed code to perform malicious actions, such as installing malware or escalating privileges.
8. The attacker achieves persistence or further compromises the system.

Impact

Successful exploitation of CVE-2026-6421 allows a local attacker to execute arbitrary code within the context of the MobaXterm process. While the exploit requires local access and is considered to have high complexity, the availability of public exploits increases the risk. The impact of successful exploitation includes potential privilege escalation, malware installation, and further system compromise. Although specific victim counts and sectors targeted are unknown, any system running a vulnerable version of MobaXterm Home Edition is at risk.

Recommendation

• Upgrade Mobatek MobaXterm Home Edition to version 26.2 or later to patch CVE-2026-6421, as advised by the vendor.
• Implement application control policies to restrict the execution of unauthorized DLLs, mitigating the impact of uncontrolled search path vulnerabilities.
• Monitor process creation events for MobaXterm (process name: MobaXterm.exe) loading DLLs from unusual or user-writable directories using the provided Sigma rule.