MobaXterm Uncontrolled Search Path Vulnerability Leading to Arbitrary Code Execution

A vulnerability exists in MobaXterm versions prior to 26.1, where an uncontrolled search path element allows for arbitrary code execution. The application executes Notepad++ using WinExec without a fully qualified path when opening remote files. This behavior can be exploited by placing a malicious executable earlier in the search order, leading to code execution in the context of the affected user.

Impact

Exploitation of this vulnerability allows for arbitrary code execution on the affected system, executed with the privileges of the user running MobaXterm.

Reproduction

To reproduce this vulnerability, first install a version of MobaXterm prior to 26.1. Then, place a malicious executable in a location that is earlier in the search path order than Notepad++. When MobaXterm is used to open a remote file, the application will execute the malicious executable instead of Notepad++, due to the unquoted search path vulnerability. This can be verified by observing the execution of the malicious code in the context of the user.

Remediation

Users can update to MobaXterm version 26.1 or later, where this vulnerability has been fixed.