{"description":"Trending threats, MITRE ATT\u0026CK coverage, and detection metadata — refreshed continuously.","feed_url":"https://feed.craftedsignal.io/tags/mobaxterm/","home_page_url":"https://feed.craftedsignal.io/","items":[{"_cs_actors":[],"_cs_cves":[{"cvss":7,"id":"CVE-2026-6421"}],"_cs_exploited":false,"_cs_products":[],"_cs_severities":["medium"],"_cs_tags":["cve","vulnerability","mobaxterm","dll hijacking"],"_cs_type":"advisory","_cs_vendors":[],"content_html":"\u003cp\u003eMobatek MobaXterm Home Edition up to version 26.1 is vulnerable to an uncontrolled search path issue (CVE-2026-6421) within the msimg32.dll library. This vulnerability allows a local attacker to manipulate the search path used by the application, potentially leading to arbitrary code execution. The complexity of exploitation is considered high, and it requires local access to the system. The vendor was responsive and released version 26.2 to address the vulnerability, urging users to upgrade. Public exploits are available, increasing the urgency for remediation. This vulnerability matters to defenders because successful exploitation could lead to privilege escalation or the execution of malicious code within the context of the MobaXterm application.\u003c/p\u003e\n\u003ch2 id=\"attack-chain\"\u003eAttack Chain\u003c/h2\u003e\n\u003col\u003e\n\u003cli\u003eThe attacker gains local access to a system with a vulnerable version (\u0026lt;= 26.1) of MobaXterm Home Edition installed.\u003c/li\u003e\n\u003cli\u003eThe attacker crafts a malicious DLL file (e.g., a replacement msimg32.dll or another DLL that msimg32.dll might load).\u003c/li\u003e\n\u003cli\u003eThe attacker places the malicious DLL in a directory that MobaXterm searches before the legitimate system directories.\u003c/li\u003e\n\u003cli\u003eThe attacker executes MobaXterm.\u003c/li\u003e\n\u003cli\u003eWhen MobaXterm loads msimg32.dll, it loads the malicious DLL from the attacker-controlled directory instead of the legitimate system directory due to the uncontrolled search path.\u003c/li\u003e\n\u003cli\u003eThe malicious DLL executes arbitrary code within the context of the MobaXterm process.\u003c/li\u003e\n\u003cli\u003eThe attacker leverages the executed code to perform malicious actions, such as installing malware or escalating privileges.\u003c/li\u003e\n\u003cli\u003eThe attacker achieves persistence or further compromises the system.\u003c/li\u003e\n\u003c/ol\u003e\n\u003ch2 id=\"impact\"\u003eImpact\u003c/h2\u003e\n\u003cp\u003eSuccessful exploitation of CVE-2026-6421 allows a local attacker to execute arbitrary code within the context of the MobaXterm process. While the exploit requires local access and is considered to have high complexity, the availability of public exploits increases the risk. The impact of successful exploitation includes potential privilege escalation, malware installation, and further system compromise. Although specific victim counts and sectors targeted are unknown, any system running a vulnerable version of MobaXterm Home Edition is at risk.\u003c/p\u003e\n\u003ch2 id=\"recommendation\"\u003eRecommendation\u003c/h2\u003e\n\u003cul\u003e\n\u003cli\u003eUpgrade Mobatek MobaXterm Home Edition to version 26.2 or later to patch CVE-2026-6421, as advised by the vendor.\u003c/li\u003e\n\u003cli\u003eImplement application control policies to restrict the execution of unauthorized DLLs, mitigating the impact of uncontrolled search path vulnerabilities.\u003c/li\u003e\n\u003cli\u003eMonitor process creation events for MobaXterm (process name: MobaXterm.exe) loading DLLs from unusual or user-writable directories using the provided Sigma rule.\u003c/li\u003e\n\u003c/ul\u003e\n","date_modified":"2026-04-17T06:16:30Z","date_published":"2026-04-17T06:16:30Z","id":"/briefs/2026-04-mobaxterm-cve-2026-6421/","summary":"CVE-2026-6421 is an uncontrolled search path vulnerability in Mobatek MobaXterm Home Edition up to version 26.1, affecting msimg32.dll, that can be exploited locally with high complexity.","title":"Mobatek MobaXterm Home Edition Uncontrolled Search Path Vulnerability (CVE-2026-6421)","url":"https://feed.craftedsignal.io/briefs/2026-04-mobaxterm-cve-2026-6421/"}],"language":"en","title":"CraftedSignal Threat Feed — Mobaxterm","version":"https://jsonfeed.org/version/1.1"}