CVE-2026-2493
Published: 16 March 2026
Summary
CVE-2026-2493 is a high-severity Path Traversal (CWE-22) vulnerability in Zerodayinitiative (inferred from references). Its CVSS base score is 7.5 (High).
Operationally, exploitation aligns with the MITRE ATT&CK technique Exploit Public-Facing Application (T1190); ranked in the top 2.1% of CVEs by exploit likelihood; it is not currently listed in the CISA KEV catalog.
The strongest mitigations our analysis identified are NIST 800-53 AU-13 (Monitoring for Information Disclosure) and SI-10 (Information Input Validation).
Deeper analysis
IceWarp collaboration software contains a directory traversal vulnerability that permits remote information disclosure on affected installations. The flaw, tracked as ZDI-CAN-25440, resides in the handling of the ticket parameter passed to the collaboration endpoint and stems from insufficient validation of user-supplied paths before they are used in file operations, enabling an unauthenticated attacker to read arbitrary files as root.
An attacker can exploit the issue over the network without credentials or user interaction by submitting a crafted path via the ticket parameter, resulting in disclosure of sensitive information stored on the server. The vulnerability carries a CVSS 3.0 base score of 7.5 reflecting high confidentiality impact with low attack complexity.
The Zero Day Initiative advisory ZDI-26-130 provides further details on the issue. The EPSS score currently stands at 0.5057, indicating substantial exploitation interest.
EU & UK References
- 🇪🇺 ENISA EUVD: EUVD-2026-12109
Vulnerability details
IceWarp collaboration Directory Traversal Information Disclosure Vulnerability. This vulnerability allows remote attackers to disclose sensitive information on affected installations of IceWarp. Authentication is not required to exploit this vulnerability. The specific flaw exists within handling of the ticket parameter provided…
more
to the collaboration endpoint. The issue results from the lack of proper validation of a user-supplied path prior to using it in file operations. An attacker can leverage this vulnerability to disclose information in the context of root. Was ZDI-CAN-25440.
- CWE(s)
Related Threats
MITRE ATT&CK Enterprise TechniquesAI
Why these techniques?
Unauthenticated remote directory traversal in public-facing IceWarp collaboration endpoint directly enables T1190 for initial access and T1005 for arbitrary local file reads (configs, user data) as root.
CVEs Like This One
Affected Assets
Mitigating Controls
Mitigating Controls (NIST 800-53 r5) AI
Directly mitigates the core flaw by requiring validation of user-supplied paths like the ticket parameter prior to file operations, preventing directory traversal.
Addresses the lack of authentication requirement by limiting permitted actions on unauthenticated collaboration endpoints to reduce exploitation risk.
Enables monitoring for unauthorized information disclosures resulting from directory traversal attempts on the collaboration endpoint.