"These vulnerabilities could have been exploited to read all mail traffic or as an entry vector into the internal network," InfoGuard Labs researchers Dario Weiss, Manuel Feifel, and Olivier Becker said in a Monday report.
The list of flaws and what each CVE covers
InfoGuard Labs identified a string of critical flaws in SEPPMail Secure E-Mail Gateway that together allow information disclosure, arbitrary file read and write, and unauthenticated remote code execution. The researchers enumerated the following vulnerabilities and CVSS scores:
- CVE-2026-2743 (CVSS score: 10.0) — a path traversal vulnerability in the SeppMail User Web Interface's large file transfer (LFT) feature that could enable arbitrary file write, resulting in remote code execution.
- CVE-2026-7864 (CVSS score: 6.9) — an exposure of sensitive system information vulnerability that leaks server environment variables through an unauthenticated endpoint in the new GINA UI.
- CVE-2026-44125 (CVSS score: 9.3) — a missing authorization check for multiple endpoints in the new GINA UI that allows unauthenticated remote attackers to access functionality that would otherwise require a valid session.
- CVE-2026-44126 (CVSS score: 9.2) — a deserialization of untrusted data vulnerability that allows unauthenticated remote attackers to execute code via a crafted serialized object.
- CVE-2026-44127 (CVSS score: 8.8) — an unauthenticated path traversal in "/api.app/attachment/preview" that allows remote attackers to read arbitrary local files and trigger deletion of files in the targeted directory with the privileges of the "api.app" process.
- CVE-2026-44128 (CVSS score: 9.3) — an eval injection vulnerability in the /api.app/template feature that directly passes the user-supplied upldd parameter into a Perl eval() statement without any sanitization, allowing unauthenticated remote code execution.
- CVE-2026-44129 (CVSS score: 8.3) — an improper neutralization of special elements used in a template engine that allows remote attackers to execute arbitrary template expressions and potentially achieve remote code execution depending on the enabled template plugins.
How a path traversal could cascade into full appliance takeover
The researchers detailed a plausible chain: by exploiting CVE-2026-2743 in the LFT feature, an attacker could overwrite critical configuration files — including "/etc/syslog.conf" — by making use of the "nobody" user's write access to the file. That overwrite, combined with further actions, could yield a Perl-based reverse shell and a complete takeover of the SEPPmail appliance.
InfoGuard explains one operational obstacle and how an attacker could surmount it: syslogd — the Linux daemon that writes system messages to log files — only re-reads its configuration when it receives a SIGHUP (signal hang up). The appliance uses newsyslog for log rotation, which runs every 15 minutes via cron. newsyslog rotates files that exceed a configured size (the report cites SEPPMaillog's 10,000 KB limit) and then sends SIGHUP to syslogd. By bloating log files via web requests until they exceed the size limit, an attacker can force rotation and a subsequent config reload that executes the overwritten syslog configuration.
The end result, as the researchers put it, is a takeover permitting an attacker to read all mail traffic and persist indefinitely on the gateway.
Multiple remote-code paths: deserialization, eval injection, and template engines
InfoGuard's findings show more than one independent path to unauthenticated remote code execution. CVE-2026-44126 arises from deserialization of untrusted data, a classic vector where crafted serialized objects execute code when the application unserializes them. CVE-2026-44128 is an eval injection where the /api.app/template feature forwards the upldd parameter straight into a Perl eval() call with no sanitization. CVE-2026-44129 targets template-engine behavior: the improper neutralization of special elements can allow execution of arbitrary template expressions, which may lead to code execution depending on which template plugins are enabled.
Patch status and recent, related fixes
InfoGuard reported that some of the flaws have been addressed in successive SEPPmail releases: CVE-2026-44128 is fixed in version 15.0.2.1, CVE-2026-44126 was addressed in version 15.0.3, and the remaining vulnerabilities were patched in version 15.0.4. The disclosure arrives weeks after SEPPmail issued updates for a different critical flaw, CVE-2026-27441 (CVSS score: 9.5), which could allow arbitrary operating system command execution.
How technologists, procurement leaders, and adversaries are likely to react
- Technologists and security teams will be focused on appliances that could expose mail traffic or provide an internal foothold: the report identifies multiple unauthenticated paths that can lead to remote code execution and persistent access on the gateway.
- Procurement leaders and affected enterprises using SEPPmail as an "enterprise-grade email security solution" will need to account for the sequence of fixes — CVE-2026-44128 in 15.0.2.1, CVE-2026-44126 in 15.0.3, and the remaining patches in 15.0.4 — when validating the security posture of deployed appliances.
- Adversaries and threat actors, the researchers warn, could exploit these flaws both to read all mail traffic and to use the gateway as an entry vector into internal networks, making the appliance an attractive target when present and vulnerable.
InfoGuard's disclosure ties multiple distinct weaknesses — path traversal, information leakage, missing authorization, unsafe deserialization, eval injection, and template engine flaws — into an operational picture in which a single exploited appliance can become a long-term conduit for reading enterprise mail and for lateral access. The exact scope of any real-world impact will turn on which appliance versions are present in the field and whether the released fixes have been applied.
Original report: The Hacker News — SEPPMail Secure E-Mail Gateway Vulnerabilities Enable RCE and Mail Traffic Access




