Full Report
Critical security vulnerabilities have been disclosed in SEPPMail Secure E-Mail Gateway, an enterprise-grade email security solution, that could be exploited to achieve remote code execution and enable an attacker to read arbitrary mails from the virtual appliance. "These vulnerabilities could have been exploited to read all mail traffic or as an entry vector into the internal network,"
Analysis Summary
# Vulnerability: Multiple Critical Flaws in SEPPMail Secure E-Mail Gateway
## CVE Details
- **CVE ID:** CVE-2026-2743, CVE-2026-7864, CVE-2026-44125, CVE-2026-44126, CVE-2026-44127, CVE-2026-44128, CVE-2026-44129
- **CVSS Score:** 6.9 to 10.0 (Medium to Critical)
- **CWE:** Path Traversal, Missing Authorization, Deserialization of Untrusted Data, Eval Injection, Improper Neutralization of Template Expressions.
## Affected Systems
- **Products:** SEPPMail Secure E-Mail Gateway
- **Versions:** Versions prior to 15.0.4 are affected by various combinations of these flaws.
- **Configurations:** Systems using the Large File Transfer (LFT) feature, the GINA UI, or the API application endpoint.
## Vulnerability Description
Researchers at InfoGuard Labs identified a chain of vulnerabilities that allow for Remote Code Execution (RCE) and unauthorized data access.
- **CVE-2026-2743** involves a path traversal in the LFT feature allowing arbitrary file writes.
- **CVE-2026-44128** is an Eval Injection flaw where the `upldd` parameter is passed directly to a Perl `eval()` statement.
- **CVE-2026-44126** involves insecure deserialization.
- **CVE-2026-44127** allows unauthenticated path traversal to read or delete local files via the API.
## Exploitation
- **Status:** PoC described in research report (Path Traversal to RCE via syslog configuration overwrite).
- **Complexity:** Medium (Requires specific steps like bloating log files to trigger a SIGHUP via newsyslog for certain RCE vectors).
- **Attack Vector:** Network (Unauthenticated remote access).
## Impact
- **Confidentiality:** High (Ability to read all mail traffic and local system files).
- **Integrity:** High (Ability to write arbitrary files and execute code).
- **Availability:** High (Potential for file deletion and system takeover).
## Remediation
### Patches
- **Version 15.0.2.1:** Fixed CVE-2026-44128.
- **Version 15.0.3:** Fixed CVE-2026-44126.
- **Version 15.0.4:** Fixes all remaining vulnerabilities (CVE-2026-2743, CVE-2026-7864, CVE-2026-44125, CVE-2026-44127, CVE-2026-44129).
### Workarounds
- No specific workarounds provided; immediate update to version 15.0.4 is strongly recommended.
## Detection
- **Indicators of Compromise:** Unusual modifications to `/etc/syslog.conf`, unexpected Perl processes, or rapid bloating of `SEPPMaillog`.
- **Detection methods:** Monitor for directory traversal attempts (e.g., `../`) in web server logs, specifically targeting `/api.app/attachment/preview` or the LFT interface.
## References
- InfoGuard Labs Research: hxxps[://]labs[.]infoguard[.]ch/posts/seppmail_secure_e-mail_gateway_rce_vulnerabilities_cve-2026-2743_cve-2026-7864_cve-2026-44127_cve-2026-44128/
- SEPPmail Release Notes: hxxps[://]downloads[.]seppmail[.]com/extrelnotes/150/ERN15.0.html
- The Hacker News Report: hxxps[://]thehackernews[.]com/2026/05/seppmail-secure-e-mail-gateway.html