CVE-2026-2743

Critical

Published: 05 March 2026

Published

05 March 2026

Modified

09 March 2026

KEV Added

—

Patch

—

CVSS Score 9.8 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

EPSS Score 0.0057 68.6th percentile

Risk Priority 20 60% EPSS · 20% KEV · 20% CVSS

Description

Arbitrary File Write via Path Traversal upload to Remote Code Execution in SeppMail User Web Interface. The affected feature is the large file transfer (LFT). This issue affects SeppMail: 15.0.2.1 and before

Mitigating Controls (NIST 800-53 r5)AI

SI-2 Flaw Remediation good match

prevent

Flaw remediation directly mitigates CVE-2026-2743 by identifying, patching, and testing the specific path traversal vulnerability in SeppMail's LFT feature as detailed in vendor advisories.

SI-10 Information Input Validation good match

prevent

Information input validation enforces sanitization of file paths and names at the LFT upload interface to block path traversal sequences enabling arbitrary file writes.

SC-7 Boundary Protection partial match

prevent

Boundary protection via web application firewalls monitors and filters inbound uploads to the SeppMail web interface, blocking path traversal payloads targeting the LFT feature.

Security SummaryAI

CVE-2026-2743, published on 2026-03-05, is an Arbitrary File Write vulnerability via Path Traversal in the Large File Transfer (LFT) feature of the SeppMail User Web Interface, enabling Remote Code Execution. It affects SeppMail versions 15.0.2.1 and earlier. The issue is linked to CWE-22 (Path Traversal) and CWE-434 (Unrestricted Upload of File with Dangerous Type), with a CVSS v3.1 base score of 9.8 (AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H), indicating critical severity due to its network accessibility, low attack complexity, and lack of authentication or user interaction requirements.

An unauthenticated remote attacker can exploit this vulnerability by uploading files through the LFT feature, leveraging path traversal to write arbitrary files to the server filesystem. This can escalate to remote code execution, granting high-impact compromise of confidentiality, integrity, and availability on the affected SeppMail instance.

Mitigation details are outlined in advisories including the SeppMail extended release notes at https://downloads.seppmail.com/extrelnotes/150/ERN15.0.html and the Infoguard labs advisory at https://labs.infoguard.ch/advisories/seppmail.

Details

CWE(s): CWE-22 CWE-434

Affected Products

seppmail

≤ 15.0.2.1

MITRE ATT&CK Enterprise TechniquesAI

T1190 Exploit Public-Facing Application Initial Access

Adversaries may attempt to exploit a weakness in an Internet-facing host or system to initially access a network.

attack.mitre.org →

Why these techniques?

CVE-2026-2743 is an unauthenticated path traversal vulnerability in a public-facing web interface allowing arbitrary file writes and RCE, directly enabling T1190: Exploit Public-Facing Application.

Confidence: HIGH · MITRE ATT&CK Enterprise v19.0

References

https://downloads.seppmail.com/extrelnotes/150/ERN15.0.html
Release Notes · vulnerability@ncsc.ch
https://labs.infoguard.ch/advisories/seppmail
Third Party Advisory · vulnerability@ncsc.ch