Name of the Vulnerable Software and Affected Versions:

MobaXterm versions prior to 25.0

Description:

The issue exists in the password storage of MobaXterm, where it uses an initialization vector (IV) consisting only of zero bytes and a master key to encrypt each password individually. In the default configuration, a derivative of the user's password is used as the master key. Since both the master key and the IV are the same for each stored password, the AES CFB ciphertext depends only on the plaintext (the password). This static IV and master key make it easier to obtain sensitive information and to decrypt data when it is stored at rest.

Recommendations:

For versions prior to 25.0, update to version 25.0 or later to resolve the issue. As a temporary workaround, consider restricting access to sensitive information stored with MobaXterm until the update can be applied.