MobaXterm versions before 26.1 allow an attacker to run arbitrary code by exploiting an Unquoted Service Path weakness. When the application opens remote files, it calls WinExec on Notepad++ without providing a fully qualified path, meaning the operating system searches the user’s PATH for the executable. An attacker can craft a malicious binary with the same name and place it earlier in the search order, causing it to be executed in the context of the current user. This flaw is a classic example of CWE‑428, where an application runs with a user‑supplied path that is not properly quoted or secured, leading to uncontrolled execution of executables.

The vulnerability affects the Mobatek MobaXterm client with versions prior to 26.1. Users running these legacy versions on Windows are at risk if they open remote files through the application. The issue is limited to the MobaXterm product itself and does not extend to other applications on the system.

The CVSS base score of 8.5 indicates a high severity. The EPSS score of less than 1 % suggests that while the flaw is serious, it is not frequently exploited in the wild, possibly due to the need for the attacker to control the remote file system or path ordering. The vulnerability is not listed in CISA’s KEV catalog. An attacker would need to have the ability to place a malicious executable earlier in the PATH before Notepad++ is invoked, which typically requires local or remote file write capabilities. Once achieved, the attacker obtains code execution privileges with the permissions of the user running MobaXterm.