SEPPMail flaws allow remote code execution, mail access

InfoGuard Labs researchers disclosed a set of critical vulnerabilities in the SEPPMail Secure E-Mail Gateway that could let unauthenticated attackers execute code on the appliance and read all mail traffic. The report was published Monday by Dario Weiss, Manuel Feifel and Olivier Becker.

The flaws affect the appliance’s web interfaces and APIs in both the classic and new GINA user interfaces. The researchers identified path traversal, unsafe deserialization and eval injection issues. An attacker who chains the vulnerabilities could overwrite sensitive files, run arbitrary code with gateway process privileges and extract local files and email data from the virtual appliance.

The team assigned several CVE identifiers to the issues. CVE-2026-2743 (CVSS 10.0) is a path traversal in the large file transfer feature that can allow arbitrary file write and lead to remote code execution. CVE-2026-44128 (CVSS 9.3) is an eval injection that passes a user-supplied parameter into a Perl eval() call. CVE-2026-44126 (CVSS 9.2) involves deserialization of untrusted data and can enable unauthenticated code execution. Other tracked issues include an attachment preview path traversal (CVE-2026-44127, CVSS 8.8), missing authorization checks on GINA endpoints (CVE-2026-44125, CVSS 9.3), template engine expression execution (CVE-2026-44129, CVSS 8.3), and an information leak of server environment variables (CVE-2026-7864, CVSS 6.9).

As a proof-of-concept scenario, the researchers described exploiting CVE-2026-2743 to overwrite /etc/syslog.conf by abusing the “nobody” user’s write access and then changing syslog behavior to spawn a Perl-based reverse shell. The report explains syslogd reloads its configuration only after receiving a SIGHUP signal and that the appliance uses newsyslog for log rotation. Newsyslog runs via cron every 15 minutes; filling log files with web requests can force rotation and trigger a config reload.

SEPPMail released fixes addressing the reported issues. CVE-2026-44128 was patched in version 15.0.2.1, CVE-2026-44126 in 15.0.3, and the remaining reported flaws were patched in 15.0.4. The disclosure follows an earlier SEPPMail update that fixed CVE-2026-27441 (CVSS 9.5), a separate high-severity issue that could allow arbitrary operating system command execution.

The researchers wrote: “These vulnerabilities could have been exploited to read all mail traffic or as an entry vector into the internal network.”

Administrators responsible for SEPPMail appliances are advised to apply the vendor patches and review gateway logs and access records for signs of exploitation.