Critical Vulnerabilities in SEPPmail Secure E-Mail Gateway Expose Systems to Remote Code Execution and Mail Traffic Interception
Recent findings have unveiled significant security flaws within SEPPmail’s Secure E-Mail Gateway, a leading enterprise email security solution. These vulnerabilities could be exploited by malicious actors to execute remote code and access sensitive email communications.
Researchers from InfoGuard Labs—Dario Weiss, Manuel Feifel, and Olivier Becker—highlighted the severity of these issues, noting that attackers could potentially intercept all email traffic or use the gateway as an entry point into internal networks.
The identified vulnerabilities include:
– CVE-2026-2743 (CVSS score: 10.0): A path traversal flaw in the Large File Transfer (LFT) feature of the SEPPmail User Web Interface. This vulnerability allows unauthorized file writing, leading to potential remote code execution.
– CVE-2026-7864 (CVSS score: 6.9): An exposure of sensitive system information through an unauthenticated endpoint in the new GINA UI, leaking server environment variables.
– CVE-2026-44125 (CVSS score: 9.3): Missing authorization checks in multiple endpoints of the new GINA UI, permitting unauthenticated remote attackers to access functionalities that typically require valid sessions.
– CVE-2026-44126 (CVSS score: 9.2): Deserialization of untrusted data, enabling unauthenticated remote attackers to execute code via crafted serialized objects.
– CVE-2026-44127 (CVSS score: 8.8): An unauthenticated path traversal vulnerability in /api.app/attachment/preview, allowing remote attackers to read arbitrary local files and delete files in the targeted directory with the privileges of the api.app process.
– CVE-2026-44128 (CVSS score: 9.3): An eval injection vulnerability that allows unauthenticated remote code execution by passing user-supplied parameters directly into a Perl eval() statement without proper sanitization.
– CVE-2026-44129 (CVSS score: 8.3): Improper neutralization of special elements in a template engine, allowing remote attackers to execute arbitrary template expressions and potentially achieve remote code execution depending on the enabled template plugins.
In a potential attack scenario, exploiting CVE-2026-2743 could enable an attacker to overwrite the system’s syslog configuration (/etc/syslog.conf) by leveraging the nobody user’s write access. This manipulation could lead to a Perl-based reverse shell, resulting in full control over the SEPPmail appliance. Consequently, the attacker could monitor all email traffic and maintain persistent access to the gateway.
A notable challenge for attackers aiming for remote code execution is that the syslog daemon (syslogd) re-reads its configuration only upon receiving the SIGHUP signal. The appliance utilizes newsyslog for log rotation, which runs every 15 minutes via cron. By inflating log files like SEPPMaillog beyond their size limits, attackers can trigger log rotation and a subsequent configuration reload, facilitating the exploit.
SEPPmail has addressed these vulnerabilities in recent updates:
– CVE-2026-44128: Fixed in version 15.0.2.1.
– CVE-2026-44126: Resolved in version 15.0.3.
– Remaining vulnerabilities: Patched in version 15.0.4.
This disclosure follows SEPPmail’s recent update to fix another critical flaw (CVE-2026-27441, CVSS score: 9.5) that could allow arbitrary operating system command execution.
