Mobatek

MobaXterm

11 Schwachstellen gefunden.

Hinweis: Diese Liste kann unvollständig sein. Daten werden ohne Gewähr im Ursprungsformat bereitgestellt.
6.5

CVE-2025-0714

  • EPSS 0.04%
  • Veröffentlicht 17.02.2025 12:15:27
  • Zuletzt bearbeitet 19.02.2025 09:15:09

The vulnerability exists in the password storage of Mobateks MobaXterm in versions below 25.0. MobaXTerm uses an initialisation vector (IV) consisting only of zero bytes and a master key to encrypt each password individually. In the default configura...

8.4

CVE-2024-48200

  • EPSS 0.05%
  • Veröffentlicht 31.10.2024 19:15:13
  • Zuletzt bearbeitet 01.11.2024 16:35:27

An issue in MobaXterm v24.2 allows a local attacker to escalate privileges and execute arbitrary code via the remove function of the MobaXterm MSI is spawning one Administrative cmd (conhost.exe)

8.1

CVE-2022-38336

Exploit
  • EPSS 0.38%
  • Veröffentlicht 06.12.2022 00:15:10
  • Zuletzt bearbeitet 24.04.2025 15:15:47

An access control issue in MobaXterm before v22.1 allows attackers to make connections to the server via the SSH or SFTP protocols without authentication.

9.1

CVE-2022-38337

  • EPSS 0.45%
  • Veröffentlicht 06.12.2022 00:15:10
  • Zuletzt bearbeitet 24.04.2025 15:15:48

When aborting a SFTP connection, MobaXterm before v22.1 sends a hardcoded password to the server. The server treats this as an invalid login attempt which can result in a Denial of Service (DoS) for the user if services like fail2ban are used.

7.5

CVE-2021-28847

  • EPSS 0.47%
  • Veröffentlicht 03.06.2021 11:15:08
  • Zuletzt bearbeitet 21.11.2024 06:00:19

MobaXterm before 21.0 allows remote servers to cause a denial of service (Windows GUI hang) via tab title change requests that are sent repeatedly at high speed, which results in many SetWindowTextA or SetWindowTextW calls.

8.8

CVE-2019-16305

Exploit
  • EPSS 0.5%
  • Veröffentlicht 14.09.2019 15:15:10
  • Zuletzt bearbeitet 21.11.2024 04:30:29

In MobaXterm 11.1 and 12.1, the protocol handler is vulnerable to command injection. A crafted link can trigger a popup asking whether the user wants to run MobaXterm to handle the link. If accepted, another popup appears asking for further confirmat...

8.8

CVE-2019-13475

Exploit
  • EPSS 0.9%
  • Veröffentlicht 09.07.2019 22:15:10
  • Zuletzt bearbeitet 21.11.2024 04:24:58

In MobaXterm 11.1, the mobaxterm: URI handler has an argument injection vulnerability that allows remote attackers to execute arbitrary commands when the user visits a specially crafted URL. Based on the available command-line arguments of the softwa...

9.8

CVE-2019-7690

Exploit
  • EPSS 0.46%
  • Veröffentlicht 13.05.2019 16:29:01
  • Zuletzt bearbeitet 21.11.2024 04:48:32

In MobaTek MobaXterm Personal Edition v11.1 Build 3860, the SSH private key and its password can be retrieved from process memory for the lifetime of the process, even after the user disconnects from the remote SSH server. This affects Passwordless A...

10

CVE-2017-15376

Exploit
  • EPSS 4.39%
  • Veröffentlicht 16.10.2017 04:29:00
  • Zuletzt bearbeitet 20.04.2025 01:37:25

The TELNET service in Mobatek MobaXterm 10.4 does not require authentication, which allows remote attackers to execute arbitrary commands via TCP port 23.

5.3

CVE-2017-6805

Exploit
  • EPSS 16.88%
  • Veröffentlicht 20.03.2017 16:59:02
  • Zuletzt bearbeitet 20.04.2025 01:37:25

Directory traversal vulnerability in the TFTP server in MobaXterm Personal Edition 9.4 allows remote attackers to read arbitrary files via a .. (dot dot) in a GET command.