This post is part of an ongoing series from the Spektion Research Team documenting vulnerabilities discovered through Spektion’s runtime analysis. If your security team wants to find and fix issues like these before they become public CVEs, reach out, and we’ll show you how to do it.
Also, a big shout-out and thank you to our partners at VulnCheck for managing the disclosure process as our CNA. Read on for the full details on CVE-2026-25866.
Spektion Research has discovered a local privilege escalation vulnerability (CVE-2026-25866) in MobaXterm, a widely used terminal client for Windows. By exploiting an unquoted executable path in MobaXterm's file editor launch feature, an attacker with local filesystem access can execute arbitrary code with the privileges of the running user.
MobaXterm is a widely used terminal client for Windows, designed for IT administrators, sysadmins, and developers managing remote infrastructure.
A key convenience feature in MobaXterm is its built-in file browser. When a user connects to a remote machine over SSH, a graphical file explorer panel automatically appears, allowing them to browse the remote filesystem in a Windows Explorer-style interface.
Double-clicking a file—a configuration file, a log, or a script—triggers MobaXterm to open that file in a local text editor, by default Notepad++, or whichever editor the user has configured.
This file-open behavior is where the vulnerability lives. When MobaXterm launches the configured editor, it constructs a process creation call to open the executable. This seemingly small omission is what creates the vulnerability.
This vulnerability was identified while using Spektion, our runtime exposure management platform, on an affected endpoint. Spektion monitors software behavior during execution by observing system calls, process creation events, and API activity in real time, rather than scanning files at rest.
When MobaXterm launched its configured text editor, Spektion flagged the process creation call for using an unquoted executable path. Spektion's Research Team confirmed and reproduced the issue.
The vulnerability is caused by MobaXterm calling WinExec to launch Notepad++ without a fully qualified executable path.
On Windows, when WinExec or CreateProcess is called with an unquoted path containing spaces, Windows resolves it ambiguously—walking through each space-separated token and attempting to execute at each partial path before reaching the full intended one. An attacker who can place an executable at any of those intermediate locations will have their payload run instead of the legitimate editor, with the full security context of the MobaXterm process.
To illustrate: if the configured editor path is C:\Program Files\Notepad++\notepad++.exe and passed unquoted, Windows will try C:\Program.exe first. An attacker who drops a malicious executable at that location wins.
Microsoft's CreateProcess documentation warns developers to quote paths containing spaces. This is a well-known pitfall, and this pattern is not unique to MobaXterm. Spektion has observed it across dozens of applications. For a broader look, see our research: Unquoted Paths: The Decades-Old Flaw Still Enabling Hidden Code Execution.
An attacker with local filesystem write access—whether via a low-privileged account on the machine, a compromised file share, or a secondary vulnerability that allows file placement—can drop a malicious executable at the appropriate path location. The next time any user on the machine opens a file in MobaXterm, the attacker's payload executes with that user's full privileges.
If the MobaXterm user is a local administrator or domain administrator, which is common, given that MobaXterm is a tool built for managing infrastructure, this results in full administrative code execution on the machine. From there, an attacker can dump credentials, establish persistent remote access, move laterally to connected systems, exfiltrate data, or take down services.
CVSS v4.0 Score: 8.5 (High) — CVSS:4.0/AV:L/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N
CVSS v3.1 Score: 7.8 (High)—CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
CWE: CWE-428—Unquoted Search Path or Element
Users can verify their current version in the MobaXterm title bar or via the Help > About menu.
The recommended action is to update MobaXterm to version 26.1 or later, which patches the unquoted search path by quoting the executable path at the point of process creation. Downloads are available at
https://mobaxterm.mobatek.net/download.html
If an immediate update is not possible, the following interim measures reduce exposure:
Note that these mitigations reduce the attack surface but do not eliminate the vulnerability. Updating to 26.1 is the only complete fix.
This vulnerability was discovered by the Spektion Research Team while running Spektion and is disclosed in accordance with our coordinated vulnerability disclosure policy.
February 6, 2026: Spektion runtime alert flagged the unquoted path behavior. Finding confirmed and reproduced by the research team.
February 6, 2026: CVE-2026-25866 reserved by VulnCheck.
February 9, 2026: VulnCheck confirmed that Mobatek had been notified and was actively reviewing the vulnerability.
March 6, 2026: Mobatek released MobaXterm version 26.1, patching the vulnerability. Spektion Research Team is credited in the release notes.
March 9, 2026: CVE-2026-25866 was published by VulnCheck.
March 11, 2026: Public disclosure via this blog post.
The unquoted path vulnerability class has been known for decades, appears in Microsoft's own API documentation as an explicit anti-pattern, and still shows up in production software written today. This finding is a reminder that runtime behavior—what software actually does when it runs—is a fundamentally different attack surface than what static analysis or file-based scanning can see. Keeping software updated remains the most reliable defense, and runtime visibility remains the most reliable way to find what static tools miss.
