Critical security vulnerabilities were disclosed in SEPPmail Secure Email Gateway allowing attackers to achieve remote code execution and read arbitrary emails from virtual appliances. Experts think these vulnerabilities could be exploited to read all mail traffic or serve as entry vector into internal networks.
To those unfamiliar, SEPPmail Secure Email Gateway is enterprise-grade email security solution widely deployed across DACH region covering Germany, Austria, and Switzerland. The virtual appliance secures email exchange between companies and external recipients particularly where encrypted messages, large file transfers, and secure communications are required. Organizations use SEPPmail to protect sensitive email traffic through encryption and secure message handling. Censys data indicates several thousand public instances exist making vulnerability impact potentially widespread.
The most severe flaw CVE-2026-2743 received CVSS score of 10.0 representing maximum severity rating. This path traversal vulnerability affects Large File Transfer feature in SEPPmail User Web Interface enabling arbitrary file write resulting in remote code execution. CVE-2026-7864 with CVSS score 6.9 exposes sensitive system information leaking server environment variables through unauthenticated endpoint in new GINA UI.
Additional vulnerabilities include CVE-2026-44128 with CVSS score 9.3 allowing unauthenticated remote code execution through Perl code injection. The vulnerability passes user-specified parameters directly to Perl’s eval statement without sanitization. CVE-2026-44127 enables attackers to read arbitrary files including stored emails, LDAP databases, and cryptographic material raising concerns about large-scale data exposure.
SEPPmail represents widely used email gateway for encrypted communications across DACH region covering Germany, Austria, and Switzerland. Censys data indicates several thousand public instances exist making vulnerability impact potentially widespread. Threat actors could exploit CVE-2026-2743 to overwrite system’s syslog configuration ultimately obtaining Perl-based reverse shell resulting in complete takeover of SEPPmail appliance.
Organizations using SEPPmail should take immediate action upgrading to patched versions 15.0.2.1, 15.0.3, 15.0.4 or later. Security teams should disable unused features such as LFT and GINA v2 if not required. Administrators must restrict external access to management and API endpoints while monitoring logs for unusual file writes or API activity according to security advisories.
