A technical analysis by InfoGuard Labs says critical flaws in SEPPMail Secure E-Mail Gateway could let remote attackers execute code and read arbitrary mail from the virtual appliance. The disclosure covers seven CVEs, including two rated 10.0 and multiple others above 9.0.
KEY FACTS
- Impact Attackers could read mail traffic, take over the appliance, or use it as an entry point into an internal network.
- Highest severity CVE-2026-2743 carries a CVSS score of 10.0 and can lead to remote code execution through arbitrary file write.
- Other issues The disclosure lists path traversal, missing authorization, deserialization, eval injection, and template injection flaws.
- Fixes SEPPmail says CVE-2026-44128 was fixed in 15.0.2.1, CVE-2026-44126 in 15.0.3, and the remaining flaws in 15.0.4.
The report says CVE-2026-2743 affects the User Web Interface large file transfer feature and could allow arbitrary file write. In one scenario described by the researchers, an attacker could overwrite syslog configuration and trigger a Perl-based reverse shell after log rotation forces the service to reload.
The disclosure also cites an unauthenticated endpoint in the new GINA UI that leaks environment variables, a missing authorization check on multiple endpoints, and a deserialization flaw that could permit code execution. It also describes vulnerabilities in CVE-2026-44127 and CVE-2026-44128 that could expose local files or enable unauthenticated remote code execution.
Another issue, CVE-2026-44129, involves improper neutralization in a template engine and could let remote attackers execute template expressions. The report says some outcomes depend on enabled template plugins.
The researchers noted that syslogd only reloads configuration after a SIGHUP signal, and said log rotation by newsyslog every 15 minutes could be used to force a reload if log files are filled through web requests. SEPPmail had also recently issued updates for another critical command execution flaw, CVE-2026-27441.
WHY IT MATTERS
The flaws affect a product designed to protect enterprise email, so successful exploitation could expose sensitive messages and provide a foothold inside corporate networks. The disclosure shows that patching is important because several of the issues can be used for remote code execution without authentication.