SEPPmail LFT pre-auth path traversal → arbitrary file write as nobody → RCE via syslog.conf overwrite; CVSS 10.0; addressed by v15.0.4

cve · CVE-2026-2743

Coverage timeline

first 2026-05-20 → last 2026-05-20

Briefs

1 distinct

Sources cited

7 hosts

Sections touched

updates

Co-occurring entities

see Related entities below

Story timeline

2026-05-20CTI Daily Brief — 2026-05-20
updatesUPDATE on 2026-05-09 deep dive cluster: InfoGuard Labs full technical writeup 2026-05-18 reveals new CVE-2026-2743 (CVSS 10.0) atop the prior 6-CVE cluster

Where this entity is cited

updates1

Source distribution

attack.mitre.org6 (50%)
cybersecuritynews.com1 (8%)
labs.infoguard.ch1 (8%)
thehackernews.com1 (8%)
downloads.seppmail.com1 (8%)
security-hub.ncsc.admin.ch1 (8%)
vulnerability.circl.lu1 (8%)

Related entities

UPDATE: Chaotic Eclipse Windows zero-days — MiniPlasma is third PoC (cldflt.sys CfAbortHydration, claimed CVE-2020-17103 regression on fully patched Win11)
campaignitem:windows-zero-day-proliferation-yellowkey-greenplasma-minipla×1
UPDATE: Grafana Labs CoinbaseCartel — victim confirms source-code-only theft via Pwn-Request, no customer data, ransom rejected on FBI guidance
incidentitem:grafana-labs-coinbasecartel-pwn-request-github-actions-breac×1
UPDATE: TeamPCP / Shai-Hulud — first copycat wave (OX Security npm packages w/ Phantom Bot + SSH/cloud stealers); Checkmarx Jenkins plugin trojanised (third in three months); SentinelLabs PCPJack rival worm
campaignitem:teampcp-shai-hulud-copycat-wave-ox-security-checkmarx-pcpja×1

External references

NVD · cve.org · CISA KEV

All cited sources (12)

Items in briefs about SEPPmail LFT pre-auth path traversal → arbitrary file write as nobody → RCE via syslog.conf overwrite; CVSS 10.0; addressed by v15.0.4 (1)

UPDATE: SEPPmail Secure E-Mail Gateway — InfoGuard Labs full technical write-up; new CVE-2026-2743 (CVSS 10.0 pre-auth path traversal in LFT)

From CTI Daily Brief — 2026-05-20 · published 2026-05-20 · view item permalink →

UPDATE (originally covered 2026-05-09 deep dive on CVE-2026-44128 cluster): InfoGuard Labs — the Baar-based Swiss security firm that performed the original SEPPmail review — published its full technical write-up on 2026-05-18. The principal new finding is CVE-2026-2743 (CVSS 10.0): a pre-authenticated path traversal in SEPPmail's Large File Transfer (LFT) component (/v1/file.app endpoint, handle_request function) that passes a JSON-supplied filename through WebMailMessage::store_attachments without sanitisation. The attacker writes arbitrary files as the nobody user; because nobody has unusual write access to /etc/syslog.conf, an attacker can overwrite it with a piped Perl reverse-shell one-liner and trigger a newsyslog rotation (15-minute cron sending SIGHUP to syslogd) to obtain unauthenticated RCE.

CVE-2026-2743 only affects instances with the LFT license enabled (exposure is detectable: /v1/file.app returns 404 if LFT is not provisioned). InfoGuard's Censys-driven scan suggests the majority of customer instances do have LFT enabled. The 2026-05-09 deep dive covered CVE-2026-44128 / 44125 / 44126 / 44127 / 44129 / 7864, all patched in v15.0.4; CVE-2026-2743 is also addressed by v15.0.4 but defenders that delayed the v15.0.4 update on the assumption their LFT-disabled posture limited exposure should re-evaluate: any host running an earlier build is now a pre-auth-RCE candidate independent of the GINA V2 path. InfoGuard notes: "The chain allows for a complete takeover of the SEPPmail appliance. Attackers can read all mail traffic and persist indefinitely on the gateway. On these virtual appliances the Blue Teams have usually no visibility." Apply v15.0.4 to all Swiss / DACH SEPPmail appliances immediately if any remain on an earlier build; monitor /v1/file.app POST requests with ../ sequences in the JSON body; alert on unexpected Perl process trees spawned by syslogd.