Critical security vulnerabilities have been disclosed in SEPPMail Secure E-Mail Gateway, an enterprise-grade email security solution, that could be exploited to achieve remote code execution and enable an attacker to read arbitrary mails from the virtual appliance.
“These vulnerabilities could have been exploited to read all mail traffic or as an entry vector into the internal network,” InfoGuard Labs researchers Dario Weiss, Manuel Feifel, and Olivier Becker said in a Monday report.
The list of identified flaws is as follows –
- CVE-2026-2743 (CVSS score: 10.0) – A path traversal vulnerability in the SeppMail User Web Interface’s large file transfer (LFT) feature that could enable arbitrary file write, resulting in remote code execution.
- CVE-2026-7864 (CVSS score: 6.9) – An exposure of sensitive system information vulnerability that leaks server environment variables through an unauthenticated endpoint in the new GINA UI.
- CVE-2026-44125 (CVSS score: 9.3) – A missing authorization check vulnerability for multiple endpoints in the new GINA UI that allows unauthenticated remote attackers to access functionality that would otherwise require a valid session.
- CVE-2026-44126 (CVSS score: 9.2) – A deserialization of untrusted data vulnerability that allows unauthenticated remote attackers to execute code via a crafted serialized object.
- CVE-2026-44127 (CVSS score: 8.8) – An unauthenticated path traversal vulnerability in “/api.app/attachment/preview” that allows remote attackers to read arbitrary local files and trigger deletion of files in the targeted directory with the privileges of the “api.app” process.
- CVE-2026-44128 (CVSS score: 9.3) – An eval injection vulnerability that allows unauthenticated remote code execution by taking advantage of the fact that the /api.app/template feature directly passes user-supplied upldd parameter into a Perl eval() statement without any sanitization.
- CVE-2026-44129 (CVSS score: 8.3) – An improper neutralization of special elements used in a template engine vulnerability that allows remote attackers to execute arbitrary template expressions and potentially achieve remote code execution depending on the enabled template plugins.
In a hypothetical attack scenario, a threat actor could exploit CVE-2026-2743 to overwrite the system’s syslog configuration (“/etc/syslog.conf”) by making use of the “nobody” user’s write access to the file and ultimately obtain a Perl-based reverse shell. The end result is a complete takeover of the SEPPmail appliance, permitting the attacker to read all mail traffic and persist indefinitely on the gateway.
One significant hurdle that an attacker must overcome to achieve remote code execution is that syslogd re-reads the configuration only upon receiving the SIGHUP (aka “signal hang up”) signal. Syslogd is a Linux system daemon responsible for writing system messages to log files or a user’s terminal.
“The appliance uses newsyslog for log rotation (e.g., leading to logfile.0), which runs every 15 minutes via cron,” the researchers explained. “newsyslog rotates files that exceed a size limit and then automatically sends a SIGHUP to syslogd. By bloating log files like SEPPMaillog, which has a 10,000 KB limit in this case, we can force a rotation and a subsequent config reload. These can be filled by just sending web requests.”
While CVE-2026-44128 is said to have been fixed by version 15.0.2.1, CVE-2026-44126 was addressed with the release of version 15.0.3. The remaining vulnerabilities have been patched in version 15.0.4.
The disclosure comes weeks after SEPPmail shipped updates to resolve another critical flaw (CVE-2026-27441, CVSS score: 9.5) that could allow arbitrary operating system command execution.
