CVE-2026-11967
Deferred Deferred - Pending Action
Arbitrary Code Execution in MobaXterm Personal Edition

Publication date: 2026-06-12

Last updated on: 2026-06-12

Assigner: Spanish National Cybersecurity Institute, S.A. (INCIBE)

Description
MobaXterm Personal Edition (Portable), in its 26.3 version (Build 5154), allows arbitrary code execution by loading a malicious DLL located in the same directory as the portable executable. Because the application automatically loads the winspool.drv library from that location during startup, an attacker with local access can place a specially crafted DLL alongside the executable to be executed when the victim launches the application.
CVSS Scores
EPSS Scores
Probability:
Percentile:
Meta Information
Published
2026-06-12
Last Modified
2026-06-12
Generated
2026-06-12
AI Q&A
2026-06-12
EPSS Evaluated
N/A
NVD
CVE-2026-11967
EUVD
EUVD-2026-36426
Affected Vendors & Products
Showing 1 associated CPE
Vendor Product Version / Range
mobatek mobaxterm 26.3
Helpful Resources
Exploitability
CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-427 The product uses a fixed or controlled search path to find resources, but one or more locations in that path can be under the control of unintended actors.
Attack-Flow Graph
AI Quick Actions
Instant insights powered by AI
Executive Summary

This vulnerability exists in MobaXterm Personal Edition (Portable) version 26.3 (Build 5154). The application automatically loads the winspool.drv library from the same directory as the portable executable during startup. An attacker with local access can exploit this behavior by placing a malicious DLL with the same name in that directory. When the victim launches the application, the malicious DLL is loaded and executed, allowing arbitrary code execution.

Compliance Impact

The provided information does not specify how CVE-2026-11967 affects compliance with common standards and regulations such as GDPR or HIPAA.

Detection Guidance

This vulnerability can be detected by checking if the MobaXterm Personal Edition (Portable) version 26.3 (Build 5154) is present on the system and if there are any suspicious DLL files located in the same directory as the MobaXterm executable.

Since the vulnerability involves loading a malicious winspool.drv DLL from the executable's directory, you can look for unexpected DLL files in that directory.

  • On Windows, use the command: dir /b /a "path_to_mobaxterm_directory\*.dll" to list DLL files in the MobaXterm directory.
  • Check the version of MobaXterm by running the executable or checking its properties to confirm if it is version 26.3 (Build 5154).
  • Monitor process startup paths and loaded DLLs using tools like Process Monitor (ProcMon) from Sysinternals to detect if winspool.drv or other DLLs are loaded from unexpected locations.
Mitigation Strategies

The immediate mitigation step is to upgrade MobaXterm Personal Edition (Portable) to version 26.4 or later, where this vulnerability has been fixed by Mobatek.

Additionally, ensure that untrusted users do not have local access to the system or the directory containing the MobaXterm executable to prevent placing malicious DLLs.

As a temporary measure, avoid running the vulnerable version of MobaXterm until the update is applied.

Impact Analysis

This vulnerability can lead to arbitrary code execution on the affected system. An attacker with local access can execute malicious code with the privileges of the user running MobaXterm, potentially leading to system compromise, data theft, or further attacks within the environment.

Chat Assistant
Ask questions about this CVE
Hi! I’m here to help you understand CVE-2026-11967. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70
EPSS Chart