CVE-2026-11879
Deferred Deferred - Pending Action
MobaXterm Portable DLL Hijacking Arbitrary Code Execution

Publication date: 2026-06-12

Last updated on: 2026-06-12

Assigner: Spanish National Cybersecurity Institute, S.A. (INCIBE)

Description
MobaXterm Personal Edition (Portable), in its 26.3 version (Build 5154), allows arbitrary code execution by loading malicious DLLs from a temporary directory that is predictable and can be modified by the user. During startup, the application searches for specific DLLs in this location before resorting to the system’s secure paths, enabling an attacker with local access to place a specially crafted DLL to be executed automatically when the victim launches the application.
CVSS Scores
EPSS Scores
Probability:
Percentile:
Meta Information
Published
2026-06-12
Last Modified
2026-06-12
Generated
2026-06-12
AI Q&A
2026-06-12
EPSS Evaluated
N/A
NVD
CVE-2026-11879
EUVD
EUVD-2026-36425
Affected Vendors & Products
Showing 2 associated CPEs
Vendor Product Version / Range
mobatek mobaxterm_personal_edition_portable to 26.4 (exc)
mobatek mobaxterm_personal_edition_portable 26.4
Helpful Resources
Exploitability
CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-427 The product uses a fixed or controlled search path to find resources, but one or more locations in that path can be under the control of unintended actors.
Attack-Flow Graph
AI Quick Actions
Instant insights powered by AI
Executive Summary

CVE-2026-11879 is a vulnerability in MobaXterm Personal Edition (Portable) version 26.3 (Build 5154) that allows arbitrary code execution. The issue arises because the application loads DLL files from a temporary directory that is predictable and can be modified by a local user. During startup, MobaXterm searches for specific DLLs in this temporary directory before checking the system's secure paths. An attacker with local access can place a specially crafted malicious DLL in this directory, which the application will then load and execute automatically when launched.

Impact Analysis

This vulnerability can have a significant impact because it allows an attacker with local access to execute arbitrary code on the affected system. This means the attacker could potentially run malicious software with the privileges of the user running MobaXterm, leading to unauthorized actions such as data theft, system compromise, or further malware installation.

Detection Guidance

This vulnerability involves loading malicious DLLs from a predictable temporary directory during the startup of MobaXterm Personal Edition (Portable) version 26.3 (Build 5154). Detection would require checking for the presence of unexpected or suspicious DLL files in the temporary directory used by the application.

Since the vulnerability requires local access and involves DLLs in a specific temporary directory, you can inspect that directory for unauthorized DLL files.

  • On Windows, use commands like `dir %TEMP%\*.dll` in Command Prompt or `Get-ChildItem $env:TEMP\*.dll` in PowerShell to list DLL files in the temporary directory.
  • Check the timestamps and origins of DLL files found there to identify any suspicious or recently added files that could be malicious.

Monitoring the startup behavior of MobaXterm for loading DLLs from the temporary directory can also help detect exploitation attempts.

Mitigation Strategies

The immediate mitigation step is to update MobaXterm Personal Edition (Portable) from version 26.3 (Build 5154) to version 26.4 or later, where this vulnerability has been fixed by Mobatek.

Until the update can be applied, restrict local access to the system to trusted users only, as exploitation requires local access.

Additionally, monitor and restrict write permissions to the temporary directory used by MobaXterm to prevent unauthorized DLL placement.

Chat Assistant
Ask questions about this CVE
Hi! I’m here to help you understand CVE-2026-11879. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70
EPSS Chart