CVE-2026-2743
Published: 05 March 2026
Summary
CVE-2026-2743 is a critical-severity Path Traversal (CWE-22) vulnerability in Seppmail Seppmail. Its CVSS base score is 9.8 (Critical).
Operationally, exploitation aligns with the MITRE ATT&CK technique Exploit Public-Facing Application (T1190); ranked in the top 31.2% of CVEs by exploit likelihood; it is not currently listed in the CISA KEV catalog.
The strongest mitigations our analysis identified are NIST 800-53 SI-10 (Information Input Validation) and SI-2 (Flaw Remediation).
Threat & Defense at a Glance
Threat & Defense Details
Mitigating Controls (NIST 800-53 r5)AI
Flaw remediation directly mitigates CVE-2026-2743 by identifying, patching, and testing the specific path traversal vulnerability in SeppMail's LFT feature as detailed in vendor advisories.
Information input validation enforces sanitization of file paths and names at the LFT upload interface to block path traversal sequences enabling arbitrary file writes.
Boundary protection via web application firewalls monitors and filters inbound uploads to the SeppMail web interface, blocking path traversal payloads targeting the LFT feature.
MITRE ATT&CK Enterprise TechniquesAI
Why these techniques?
CVE-2026-2743 is an unauthenticated path traversal vulnerability in a public-facing web interface allowing arbitrary file writes and RCE, directly enabling T1190: Exploit Public-Facing Application.
NVD Description
Arbitrary File Write via Path Traversal upload to Remote Code Execution in SeppMail User Web Interface. The affected feature is the large file transfer (LFT). This issue affects SeppMail: 15.0.2.1 and before
Deeper analysisAI
CVE-2026-2743, published on 2026-03-05, is an Arbitrary File Write vulnerability via Path Traversal in the Large File Transfer (LFT) feature of the SeppMail User Web Interface, enabling Remote Code Execution. It affects SeppMail versions 15.0.2.1 and earlier. The issue is linked to CWE-22 (Path Traversal) and CWE-434 (Unrestricted Upload of File with Dangerous Type), with a CVSS v3.1 base score of 9.8 (AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H), indicating critical severity due to its network accessibility, low attack complexity, and lack of authentication or user interaction requirements.
An unauthenticated remote attacker can exploit this vulnerability by uploading files through the LFT feature, leveraging path traversal to write arbitrary files to the server filesystem. This can escalate to remote code execution, granting high-impact compromise of confidentiality, integrity, and availability on the affected SeppMail instance.
Mitigation details are outlined in advisories including the SeppMail extended release notes at https://downloads.seppmail.com/extrelnotes/150/ERN15.0.html and the Infoguard labs advisory at https://labs.infoguard.ch/advisories/seppmail.
Details
- CWE(s)