Critical SEPPMail Gateway Flaws Allow Full Mail Traffic Theft and Remote Code Execution
InfoGuard Labs disclosed seven critical vulnerabilities in the SEPPMail Secure E-Mail Gateway, including a CVSS 10.0 path traversal flaw, enabling attackers to read all mail traffic and achieve persistent remote code execution.
InfoGuard Labs researchers have disclosed a set of seven critical vulnerabilities in the SEPPMail Secure E-Mail Gateway, an enterprise-grade email security appliance. The flaws, which include a CVSS 10.0 path traversal bug, could allow unauthenticated attackers to achieve remote code execution and read all mail traffic passing through the virtual appliance. The findings were published in a Monday report by researchers Dario Weiss, Manuel Feifel, and Olivier Becker.
The most severe vulnerability, tracked as CVE-2026-2743, carries a CVSS score of 10.0 and resides in the SeppMail User Web Interface's large file transfer (LFT) feature. This path traversal flaw enables arbitrary file write, which can be chained into remote code execution. In a hypothetical attack scenario, an attacker could overwrite the system's syslog configuration file ("/etc/syslog.conf") by leveraging the "nobody" user's write access, ultimately obtaining a Perl-based reverse shell and achieving full appliance takeover.
A key challenge for attackers is that syslogd only re-reads its configuration upon receiving a SIGHUP signal. However, the researchers demonstrated a practical bypass: the appliance uses newsyslog for log rotation every 15 minutes via cron. By bloating log files such as SEPPMaillog (which has a 10,000 KB limit) through simple web requests, an attacker can force a rotation and subsequent SIGHUP, triggering the malicious syslog configuration and enabling code execution.
Additional vulnerabilities include CVE-2026-44128 (CVSS 9.3), an eval injection flaw in the /api.app/template feature that passes user-supplied input directly into a Perl eval() statement without sanitization, allowing unauthenticated remote code execution. CVE-2026-44126 (CVSS 9.2) is a deserialization of untrusted data vulnerability that similarly permits unauthenticated code execution via crafted serialized objects. CVE-2026-44125 and CVE-2026-44128 both score 9.3 and involve missing authorization checks and eval injection, respectively.
Other flaws include CVE-2026-7864 (CVSS 6.9), which leaks sensitive server environment variables through an unauthenticated endpoint in the new GINA UI; CVE-2026-44127 (CVSS 8.8), an unauthenticated path traversal in the attachment preview endpoint allowing arbitrary file reads and deletions; and CVE-2026-44129 (CVSS 8.3), a template engine injection vulnerability that could lead to remote code execution depending on enabled plugins.
SEPPmail has released patches across multiple versions: CVE-2026-44128 was fixed in version 15.0.2.1, CVE-2026-44126 in version 15.0.3, and the remaining vulnerabilities in version 15.0.4. This disclosure follows a previous critical flaw (CVE-2026-27441, CVSS 9.5) patched weeks earlier that allowed arbitrary OS command execution. Organizations using SEPPMail Secure E-Mail Gateway are urged to update to the latest version immediately to prevent potential compromise of all email traffic and internal network access.