Essential security vulnerabilities have been disclosed in SEPPMail Safe E-Mail Gateway, an enterprise-grade electronic mail security resolution, that could possibly be exploited to attain distant code execution and allow an attacker to learn arbitrary mails from the digital equipment.
“These vulnerabilities might have been exploited to learn all mail visitors or as an entry vector into the inner community,” InfoGuard Labs researchers Dario Weiss, Manuel Feifel, and Olivier Becker stated in a Monday report.
The checklist of recognized flaws is as follows –
- CVE-2026-2743 (CVSS rating: 10.0) – A path traversal vulnerability within the SeppMail Person Internet Interface’s massive file switch (LFT) characteristic that would allow arbitrary file write, leading to distant code execution.
- CVE-2026-7864 (CVSS rating: 6.9) – An publicity of delicate system info vulnerability that leaks server setting variables by means of an unauthenticated endpoint within the new GINA UI.
- CVE-2026-44125 (CVSS rating: 9.3) – A lacking authorization verify vulnerability for a number of endpoints within the new GINA UI that permits unauthenticated distant attackers to entry performance that might in any other case require a sound session.
- CVE-2026-44126 (CVSS rating: 9.2) – A deserialization of untrusted information vulnerability that permits unauthenticated distant attackers to execute code by way of a crafted serialized object.
- CVE-2026-44127 (CVSS rating: 8.8) – An unauthenticated path traversal vulnerability in “/api.app/attachment/preview” that permits distant attackers to learn arbitrary native information and set off deletion of information within the focused listing with the privileges of the “api.app” course of.
- CVE-2026-44128 (CVSS rating: 9.3) – An eval injection vulnerability that permits unauthenticated distant code execution by profiting from the truth that the /api.app/template characteristic instantly passes user-supplied upldd parameter right into a Perl eval() assertion with none sanitization.
- CVE-2026-44129 (CVSS rating: 8.3) – An improper neutralization of particular parts utilized in a template engine vulnerability that permits distant attackers to execute arbitrary template expressions and doubtlessly obtain distant code execution relying on the enabled template plugins.
In a hypothetical assault situation, a risk actor might exploit CVE-2026-2743 to overwrite the system’s syslog configuration (“/and many others/syslog.conf”) by making use of the “no person” consumer’s write entry to the file and finally acquire a Perl-based reverse shell. The tip result’s an entire takeover of the SEPPmail equipment, allowing the attacker to learn all mail visitors and persist indefinitely on the gateway.
One vital hurdle that an attacker should overcome to attain distant code execution is that syslogd re-reads the configuration solely upon receiving the SIGHUP (aka “sign hold up”) sign. Syslogd is a Linux system daemon answerable for writing system messages to log information or a consumer’s terminal.
“The equipment makes use of newsyslog for log rotation (e.g., resulting in logfile.0), which runs each quarter-hour by way of cron,” the researchers defined. “newsyslog rotates information that exceed a dimension restrict after which robotically sends a SIGHUP to syslogd. By bloating log information like SEPPMaillog, which has a ten,000 KB restrict on this case, we are able to drive a rotation and a subsequent config reload. These will be crammed by simply sending net requests.”
Whereas CVE-2026-44128 is claimed to have been fastened by model 15.0.2.1, CVE-2026-44126 was addressed with the discharge of model 15.0.3. The remaining vulnerabilities have been patched in model 15.0.4.
The disclosure comes weeks after SEPPmail shipped updates to resolve one other essential flaw (CVE-2026-27441, CVSS rating: 9.5) that would permit arbitrary working system command execution.
