Cyber Resilience

CVE-2026-2493

High

Published: 16 March 2026

Published
16 March 2026
Modified
16 March 2026
KEV Added
Patch
CVSS Score v3 7.5 CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N
EPSS Score 0.5057 97.9th percentile
Risk Priority 45 60% EPSS · 20% KEV · 20% CVSS

Summary

CVE-2026-2493 is a high-severity Path Traversal (CWE-22) vulnerability in Zerodayinitiative (inferred from references). Its CVSS base score is 7.5 (High).

Operationally, exploitation aligns with the MITRE ATT&CK technique Exploit Public-Facing Application (T1190); ranked in the top 2.1% of CVEs by exploit likelihood; it is not currently listed in the CISA KEV catalog.

The strongest mitigations our analysis identified are NIST 800-53 AU-13 (Monitoring for Information Disclosure) and SI-10 (Information Input Validation).

Deeper analysis

IceWarp collaboration software contains a directory traversal vulnerability that permits remote information disclosure on affected installations. The flaw, tracked as ZDI-CAN-25440, resides in the handling of the ticket parameter passed to the collaboration endpoint and stems from insufficient validation of user-supplied paths before they are used in file operations, enabling an unauthenticated attacker to read arbitrary files as root.

An attacker can exploit the issue over the network without credentials or user interaction by submitting a crafted path via the ticket parameter, resulting in disclosure of sensitive information stored on the server. The vulnerability carries a CVSS 3.0 base score of 7.5 reflecting high confidentiality impact with low attack complexity.

The Zero Day Initiative advisory ZDI-26-130 provides further details on the issue. The EPSS score currently stands at 0.5057, indicating substantial exploitation interest.

EU & UK References

Vulnerability details

IceWarp collaboration Directory Traversal Information Disclosure Vulnerability. This vulnerability allows remote attackers to disclose sensitive information on affected installations of IceWarp. Authentication is not required to exploit this vulnerability. The specific flaw exists within handling of the ticket parameter provided…

more

to the collaboration endpoint. The issue results from the lack of proper validation of a user-supplied path prior to using it in file operations. An attacker can leverage this vulnerability to disclose information in the context of root. Was ZDI-CAN-25440.

CWE(s)

Related Threats

MITRE ATT&CK Enterprise TechniquesAI

T1190 Exploit Public-Facing Application Initial Access
Adversaries may attempt to exploit a weakness in an Internet-facing host or system to initially access a network.
T1005 Data from Local System Collection
Adversaries may search local system sources, such as file systems, configuration files, local databases, virtual machine files, or process memory, to find files of interest and sensitive data prior to Exfiltration.
Why these techniques?

Unauthenticated remote directory traversal in public-facing IceWarp collaboration endpoint directly enables T1190 for initial access and T1005 for arbitrary local file reads (configs, user data) as root.

Confidence: HIGH · MITRE ATT&CK Enterprise v18.1

CVEs Like This One

CVE-2025-12824Shared CWE-22
CVE-2026-25965Shared CWE-22
CVE-2025-30567Shared CWE-22
CVE-2025-27098Shared CWE-22
CVE-2024-55457Shared CWE-22
CVE-2026-35485Shared CWE-22
CVE-2024-54909Shared CWE-22
CVE-2026-3405Shared CWE-22
CVE-2025-41368Shared CWE-22
CVE-2026-23850Shared CWE-22

Affected Assets

Zerodayinitiative
inferred from references and description; NVD did not file a CPE for this CVE

Mitigating Controls

Mitigating Controls (NIST 800-53 r5) AI

prevent

Directly mitigates the core flaw by requiring validation of user-supplied paths like the ticket parameter prior to file operations, preventing directory traversal.

prevent

Addresses the lack of authentication requirement by limiting permitted actions on unauthenticated collaboration endpoints to reduce exploitation risk.

detect

Enables monitoring for unauthorized information disclosures resulting from directory traversal attempts on the collaboration endpoint.

References