Multiple critical vulnerabilities in the SEPPmail Secure E-Mail Gateway are putting thousands of organizations at risk of remote code execution (RCE) and the interception of sensitive email.
Tracked under four CVEs, the flaws impact widely deployed SEPPmail appliances used for encrypted email communication, particularly across the DACH region (Germany, Austria, Switzerland).
Security researchers warn that attackers can exploit these weaknesses to gain full control of email gateways, access confidential communications, and establish persistent access within enterprise environments.
Researchers at InfoGuard Labs uncovered multiple high-impact vulnerabilities across different components of the SEPPmail platform:
| CVE | Severity | Description |
|---|---|---|
| CVE-2026-2743 | Critical | Pre-authenticated RCE via arbitrary file write in the Large File Transfer (LFT) module |
| CVE-2026-7864 | High | Local File Inclusion (LFI) allows arbitrary file reads, including emails and credentials |
| CVE-2026-44127 | High | Unauthenticated RCE via Perl code injection in the GINA v2 interface |
| CVE-2026-44128 | Critical | Unauthenticated RCE via Perl code injection in GINA v2 interface |
Additional flaws included insecure deserialization, missing authorization checks, and server-side template injection.
The most critical issue, CVE-2026-2743, affects the LFT feature used for handling large email attachments. The vulnerability stems from improper input validation of a file upload parameter, enabling path traversal attacks.
By manipulating file paths using sequences like ../, attackers can write arbitrary files to sensitive system locations. Researchers demonstrated that this flaw chains into full RCE by overwriting /etc/syslog.conf with a malicious logging configuration.
Once the system reloads its logging service, triggered automatically during log rotation, the injected payload executes, granting attackers a reverse shell. Critically, this attack requires no authentication and can be triggered remotely if the vulnerable endpoint is exposed.
GINA Interface Enables Web Shell Access
The GINA v2 web interface, designed for secure email access by external recipients, introduces additional attack vectors. CVE-2026-44128 allows attackers to inject Perl code into an API endpoint that is executed directly via the eval() function. Because authentication checks are absent, crafted requests can execute arbitrary commands on the server.
CVE-2026-44127 further enables attackers to read arbitrary files, including stored emails, LDAP databases, and cryptographic material, raising significant concerns about data exposure.
Impact
Successful exploitation can result in:
- Full compromise of the email gateway appliance
- Interception and decryption of sensitive email traffic
- Theft of user credentials and internal directory data
- Persistent backdoor access within enterprise networks
Security teams may also face limited visibility into these appliances, making detection and incident response considerably more difficult.
Mitigation
Organizations running SEPPmail should take immediate action:
- Upgrade to patched versions 15.0.2.1, 15.0.3, 15.0.4, or later
- Disable unused features such as LFT and GINA v2 if not operationally required
- Restrict external access to management and API endpoints
- Monitor logs for unusual file writes or abnormal API activity
- Conduct forensic reviews on potentially exposed systems
Administrators can verify exposure by checking whether the /v1/file.app endpoint returns a non-404 response a potential indicator of vulnerability.
Researchers identified flaws using AI-assisted analysis, underscoring how modern tooling is accelerating both vulnerability discovery and potential exploitation. This trend lowers the barrier for threat actors and reinforces the need for continuous security testing, regular code audits, and proactive patch management.
No Comment! Be the first one.