MobaXterm protocol handler on Windows is vulnerable to command injection.

An attacker can for example craft a web page containing a malicious link that once clicked will trigger a popup that will ask to the user if he/she wants to run MobaXterm to handle the link. If accepted, another popup will appear asking further confirmation, if also this one is accepted command execution is achieved.


Pops the calculator.

PoC: Click me