CVE-2026-25866 is an unquoted search path vulnerability (CWE-428) affecting Mobatek's MobaXterm software versions prior to 26.1. The vulnerability arises because MobaXterm calls the Windows API function WinExec to execute Notepad++ without specifying the full path to the executable. Windows resolves executable paths by searching directories in a predefined order, and if the path is unquoted and contains spaces, an attacker can place a malicious executable with the same name in a directory that appears earlier in the search order. When MobaXterm attempts to launch Notepad++, the malicious executable is run instead, resulting in arbitrary code execution under the context of the logged-in user. This flaw requires the attacker to have local access or the ability to write files to directories in the search path, but it does not require user interaction or elevated privileges beyond limited user rights. The vulnerability has a CVSS 4.0 base score of 8.5, reflecting its high impact on confidentiality, integrity, and availability, as well as its relatively low complexity to exploit. No public exploits are known at this time, but the risk remains significant due to the widespread use of MobaXterm in IT environments for remote administration and file management.

The primary impact of CVE-2026-25866 is the potential for arbitrary code execution with the privileges of the affected user, which can lead to full compromise of the user's session and potentially lateral movement within an organization’s network. Since MobaXterm is widely used by system administrators and IT professionals for remote access and file operations, exploitation could allow attackers to implant persistent backdoors, steal credentials, or disrupt critical operations. The vulnerability affects confidentiality by enabling unauthorized code execution, integrity by allowing modification or replacement of executables, and availability by potentially causing denial of service or system instability. Organizations relying heavily on MobaXterm for remote management, especially those with sensitive or critical infrastructure, face increased risk of targeted attacks. The requirement for local access limits remote exploitation but does not eliminate risk in environments where attackers can gain footholds or trick users into executing malicious files.

To mitigate CVE-2026-25866, organizations should immediately upgrade MobaXterm to version 26.1 or later, where the vulnerability is addressed by specifying fully qualified paths when invoking external executables. Until patching is possible, administrators should implement strict file system permissions to prevent unauthorized users from placing executables in directories that appear earlier in the Windows search path. Employ application whitelisting and endpoint detection to monitor for unexpected execution of Notepad++ or similarly named binaries. Additionally, educate users about the risks of executing files from untrusted locations and restrict local user privileges to minimize the impact of potential exploitation. Regularly audit environment variables such as PATH for unsafe or writable directories and remove or secure them. Finally, consider using alternative tools that do not exhibit this vulnerability if immediate patching is not feasible.