Critical vulnerabilities have surfaced in the SEPPMail Secure E-Mail Gateway, a prominent email security solution for enterprises. These flaws potentially allow attackers to execute remote code and access email traffic without authorization, according to a report released by InfoGuard Labs researchers Dario Weiss, Manuel Feifel, and Olivier Becker.
Path Traversal and Code Execution Risks
The SEPPMail vulnerabilities include a severe path traversal issue, designated as CVE-2026-2743, with a maximum CVSS score of 10.0. This flaw in the large file transfer feature of the user web interface can be exploited to write arbitrary files, leading to remote code execution. Another notable vulnerability, CVE-2026-44128, allows remote code execution by injecting untrusted data into a Perl eval() statement.
Unauthenticated Access and Information Exposure
Several vulnerabilities in the SEPPMail system permit unauthorized access to sensitive information. CVE-2026-7864 exposes system environment variables through an unauthenticated endpoint. Moreover, CVE-2026-44125 and CVE-2026-44126 permit unauthorized remote access to functionalities that should require valid sessions, posing significant security threats.
Mitigation and Future Outlook
SEPPMail has released patches addressing these vulnerabilities, with CVE-2026-44128 fixed in version 15.0.2.1 and CVE-2026-44126 addressed in version 15.0.3. The remaining issues have been resolved in version 15.0.4. Despite these measures, the disclosure follows recent fixes for another critical flaw, emphasizing the ongoing need for vigilance in email security.
The discovered vulnerabilities highlight the importance of regular system updates and security audits to prevent unauthorized access and maintain secure communication channels. Organizations are advised to promptly apply patches and monitor their systems for any unusual activities to mitigate potential risks effectively.
