A critical SEH-based buffer overflow in Mobatek MobaXterm 12.1 allows remote attackers to execute arbitrary code when a victim imports a crafted session file, scoring CVSS 9.8.
What Is It
CVE-2019-25741 is a structured exception handling (SEH) based buffer overflow (CWE-120) in Mobatek MobaXterm 12.1. The flaw resides in the parsing of the username field within MobaXterm session files. An attacker can craft a malicious sessions file containing overflow data in that field; when the file is imported and executed by MobaXterm, the overflow corrupts the SEH chain and enables arbitrary code execution, including reverse shell payloads running with the user's privileges.
The vulnerability carries a CVSS v3.1 base score of 9.8 (Critical) with vector AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H, and a CVSS v4.0 score of 9.3 (Critical) from VulnCheck. Full confidentiality, integrity, and availability impact follow successful exploitation.
Why It Matters
MobaXterm is a widely used Windows toolkit for SSH, RDP, X11, and remote administration, frequently installed on engineer, sysadmin, and DevOps workstations; exactly the population whose endpoints hold credentials and pivot paths into production environments. A weaponized .mxtsessions file delivered via phishing, shared drive, or collaboration channel can yield code execution as the importing user, making this a plausible initial-access or lateral-movement vector against technical staff. A public proof-of-concept exists on Exploit-DB (entry 47429), lowering the bar for opportunistic use.
This CVE is not currently listed in the CISA KEV catalog, so active in-the-wild exploitation has not been federally confirmed at time of writing.
What's Vulnerable
- Product: Mobatek MobaXterm
- Affected version: 12.1 (per NVD description)
- Attack vector: Network; delivery of a malicious MobaXterm sessions file
- Trigger: Import and execution of the crafted session file within MobaXterm
- Weakness: CWE-120 (Classic Buffer Overflow), SEH overwrite variant
- Outcome: Arbitrary code execution / reverse shell with user privileges
NVD does not publish a CPE list for this record at this time.
Patch Status
No vendor patch or fixed version is identified in the supplied NVD record, and no required-action guidance is provided (the CVE is not in KEV). Operators should treat untrusted MobaXterm session files as actively dangerous: do not import .mxtsessions files from unverified sources, restrict their delivery through email and file-sharing controls, and track Mobatek's release notes for a fixed build superseding 12.1.