Cyber Resilience

CVE-2026-2743

Critical

Published: 05 March 2026

Published
05 March 2026
Modified
19 May 2026
KEV Added
Patch
CVSS Score v4 10.0 CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:H/SI:H/SA:H/E:A/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:Y/R:X/V:X/RE:X/U:X
EPSS Score 0.0084 53.1th percentile
Risk Priority 70 floored blend · peak EPSS

Summary

CVE-2026-2743 is a critical-severity Path Traversal (CWE-22) vulnerability in Seppmail Seppmail. Its CVSS base score is 10.0 (Critical).

Operationally, exploitation aligns with the MITRE ATT&CK technique Exploit Public-Facing Application (T1190); ranked in the top 46.9% of CVEs by exploit likelihood; it is not currently listed in the CISA KEV catalog.

The strongest mitigations our analysis identified are NIST 800-53 AC-3 (Access Enforcement) and SI-10 (Information Input Validation).

Deeper analysis

CVE-2026-2743, published on 2026-03-05, is an Arbitrary File Write vulnerability via Path Traversal in the Large File Transfer (LFT) feature of the SeppMail User Web Interface, enabling Remote Code Execution. It affects SeppMail versions 15.0.2.1 and earlier. The issue is linked to CWE-22 (Path Traversal) and CWE-434 (Unrestricted Upload of File with Dangerous Type), with a CVSS v3.1 base score of 9.8 (AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H), indicating critical severity due to its network accessibility, low attack complexity, and lack of authentication or user interaction requirements.

An unauthenticated remote attacker can exploit this vulnerability by uploading files through the LFT feature, leveraging path traversal to write arbitrary files to the server filesystem. This can escalate to remote code execution, granting high-impact compromise of confidentiality, integrity, and availability on the affected SeppMail instance.

Mitigation details are outlined in advisories including the SeppMail extended release notes at https://downloads.seppmail.com/extrelnotes/150/ERN15.0.html and the Infoguard labs advisory at https://labs.infoguard.ch/advisories/seppmail.

OWASP Top 10 for Web (2025)

EU & UK References

Vulnerability details

Arbitrary File Write via Path Traversal upload to Remote Code Execution in SeppMail User Web Interface. The affected feature is the large file transfer (LFT). This issue affects SeppMail: 15.0.2.1 and before

CWE(s)

Related Threats

MITRE ATT&CK Enterprise TechniquesAI

T1190 Exploit Public-Facing Application Initial Access
Adversaries may attempt to exploit a weakness in an Internet-facing host or system to initially access a network.
Why these techniques?

CVE-2026-2743 is an unauthenticated path traversal vulnerability in a public-facing web interface allowing arbitrary file writes and RCE, directly enabling T1190: Exploit Public-Facing Application.

Confidence: HIGH · MITRE ATT&CK Enterprise v19.0

CVEs Like This One

CVE-2026-2747Same product: Seppmail Seppmail
CVE-2026-27442Same product: Seppmail Seppmail
CVE-2026-27444Same product: Seppmail Seppmail
CVE-2026-27443Same product: Seppmail Seppmail
CVE-2026-27441Same product: Seppmail Seppmail
CVE-2026-29135Same vendor: Seppmail
CVE-2026-29134Same vendor: Seppmail
CVE-2026-29143Same vendor: Seppmail
CVE-2025-66480Shared CWE-22, CWE-434
CVE-2026-29131Same vendor: Seppmail

Affected Assets

seppmail
seppmail
≤ 15.0.2.1

Mitigating Controls

Mitigating Controls (NIST 800-53 r5) AI

prevent

Enforces validation of file paths and content during LFT uploads to block traversal sequences and dangerous file types that enable arbitrary writes and RCE.

prevent

Requires authentication and enforces access policy before permitting any LFT upload actions, eliminating the unauthenticated exploitation path described in the CVE.

detect

Detects unauthorized file modifications on the server filesystem resulting from successful path-traversal writes before they lead to code execution.

References