A critical security vulnerability has been disclosed in SEPPMail Secure E-Mail Gateway, an enterprise-grade email security solution. This vulnerability could be exploited to cause remote code execution and allow an attacker to read arbitrary email from the virtual appliance.
“These vulnerabilities could be exploited to read all email traffic or as a point of entry into internal networks,” InfoGuard Labs researchers Dario Weiss, Manuel Feifel and Olivier Becker said in a report Monday.
The list of identified defects is as follows:
CVE-2026-2743 (CVSS score: 10.0) – A path traversal vulnerability in the large file transfer (LFT) functionality of the SeppMail user web interface could allow arbitrary file writes and possible remote code execution. CVE-2026-7864 (CVSS Score: 6.9) – A sensitive system information vulnerability is exposed that allows server environment variables to be leaked via an unauthenticated endpoint in the new GINA UI. CVE-2026-44125 (CVSS Score: 9.3) – Authentication check vulnerabilities in multiple endpoints in the new GINA UI allow an unauthenticated, remote attacker to access functionality that requires a valid session. CVE-2026-44126 (CVSS Score: 9.2) – Untrusted data deserialization vulnerability allows unauthenticated, remote attackers to execute code via a crafted serialized object. CVE-2026-44127 (CVSS Score: 8.8) – Unauthenticated path traversal vulnerability in “/api.app/attachment/preview” allows remote attackers to read arbitrary local files and trigger deletion of files in the targeted directory with the permissions of the “api.app” process. CVE-2026-44128 (CVSS score: 9.3) – An eval injection vulnerability that allows unauthenticated remote code execution by exploiting the fact that the /api.app/template function passes user-specified upldd parameters directly to Perl’s eval() statement without sanitization. CVE-2026-44129 (CVSS score: 8.3) – Improper disabling of a special element used in a vulnerability in the template engine could allow remote attackers to execute arbitrary template expressions, resulting in remote code execution depending on the enabled template plugin.
In a hypothetical attack scenario, an attacker could exploit CVE-2026-2743 and overwrite the system’s syslog configuration (‘/etc/syslog.conf’) with write access to the ‘nobody’ user’s files, ultimately obtaining a Perl-based reverse shell. The end result is a complete takeover of the SEPPmail appliance, allowing the attacker to read all email traffic and persist on the gateway indefinitely.
One of the key hurdles an attacker must overcome to remotely execute code is that syslogd only rereads its configuration if it receives a SIGHUP (also known as “signal hangup”) signal. Syslogd is a Linux system daemon responsible for writing system messages to log files or to the user’s terminal.
“The appliance uses newsyslog for log rotation (e.g. logfile.0), which is run every 15 minutes via cron,” the researchers explained. “newsyslog rotates files that exceed the size limit and automatically sends a SIGHUP to syslogd. In this case, you can force a rotation and subsequent configuration reload by growing a log file like SEPPMaillog, which has a 10,000 KB limit. These can be satisfied by simply sending a web request.”
CVE-2026-44128 is said to be fixed in version 15.0.2.1, while CVE-2026-44126 was resolved with the release of version 15.0.3. The remaining vulnerabilities have been patched in version 15.0.4.
This disclosure comes weeks after SEPPmail shipped an update to resolve another critical flaw (CVE-2026-27441, CVSS score: 9.5) that allowed the execution of arbitrary operating system commands.
Source link
