SEPPMail Secure E-Mail Gateway Vulnerabilities Enable RCE and Mail Traffic Access
The Hacker NewsArchived May 19, 2026✓ Full text saved
Critical security vulnerabilities have been disclosed in SEPPMail Secure E-Mail Gateway, an enterprise-grade email security solution, that could be exploited to achieve remote code execution and enable an attacker to read arbitrary mails from the virtual appliance. "These vulnerabilities could have been exploited to read all mail traffic or as an entry vector into the internal network,"
Full text archived locally
✦ AI Summary· Claude Sonnet
SEPPMail Secure E-Mail Gateway Vulnerabilities Enable RCE and Mail Traffic Access
Ravie LakshmananMay 19, 2026Vulnerability / Email Security
Critical security vulnerabilities have been disclosed in SEPPMail Secure E-Mail Gateway, an enterprise-grade email security solution, that could be exploited to achieve remote code execution and enable an attacker to read arbitrary mails from the virtual appliance.
"These vulnerabilities could have been exploited to read all mail traffic or as an entry vector into the internal network," InfoGuard Labs researchers Dario Weiss, Manuel Feifel, and Olivier Becker said in a Monday report.
The list of identified flaws is as follows -
CVE-2026-2743 (CVSS score: 10.0) - A path traversal vulnerability in the SeppMail User Web Interface's large file transfer (LFT) feature that could enable arbitrary file write, resulting in remote code execution.
CVE-2026-7864 (CVSS score: 6.9) - An exposure of sensitive system information vulnerability that leaks server environment variables through an unauthenticated endpoint in the new GINA UI.
CVE-2026-44125 (CVSS score: 9.3) - A missing authorization check vulnerability for multiple endpoints in the new GINA UI that allows unauthenticated remote attackers to access functionality that would otherwise require a valid session.
CVE-2026-44126 (CVSS score: 9.2) - A deserialization of untrusted data vulnerability that allows unauthenticated remote attackers to execute code via a crafted serialized object.
CVE-2026-44127 (CVSS score: 8.8) - An unauthenticated path traversal vulnerability in "/api.app/attachment/preview" that allows remote attackers to read arbitrary local files and trigger deletion of files in the targeted directory with the privileges of the "api.app" process.
CVE-2026-44128 (CVSS score: 9.3) - An eval injection vulnerability that allows unauthenticated remote code execution by taking advantage of the fact that the /api.app/template feature directly passes user-supplied upldd parameter into a Perl eval() statement without any sanitization.
CVE-2026-44129 (CVSS score: 8.3) - An improper neutralization of special elements used in a template engine vulnerability that allows remote attackers to execute arbitrary template expressions and potentially achieve remote code execution depending on the enabled template plugins.
In a hypothetical attack scenario, a threat actor could exploit CVE-2026-2743 to overwrite the system's syslog configuration ("/etc/syslog.conf") by making use of the "nobody" user's write access to the file and ultimately obtain a Perl-based reverse shell. The end result is a complete takeover of the SEPPmail appliance, permitting the attacker to read all mail traffic and persist indefinitely on the gateway.
One significant hurdle that an attacker must overcome to achieve remote code execution is that syslogd re-reads the configuration only upon receiving the SIGHUP (aka "signal hang up") signal. Syslogd is a Linux system daemon responsible for writing system messages to log files or a user's terminal.
"The appliance uses newsyslog for log rotation (e.g., leading to logfile.0), which runs every 15 minutes via cron," the researchers explained. "newsyslog rotates files that exceed a size limit and then automatically sends a SIGHUP to syslogd. By bloating log files like SEPPMaillog, which has a 10,000 KB limit in this case, we can force a rotation and a subsequent config reload. These can be filled by just sending web requests."
While CVE-2026-44128 is said to have been fixed by version 15.0.2.1, CVE-2026-44126 was addressed with the release of version 15.0.3. The remaining vulnerabilities have been patched in version 15.0.4.
The disclosure comes weeks after SEPPmail shipped updates to resolve another critical flaw (CVE-2026-27441, CVSS score: 9.5) that could allow arbitrary operating system command execution.
Found this article interesting? Follow us on Google News, Twitter and LinkedIn to read more exclusive content we post.
SHARE
Tweet
Share
Share
SHARE
cybersecurity, email security, Patch Management, remote code execution, SEPPMail, Vulnerability
⚡ Top Stories This Week
New Exim BDAT Vulnerability Exposes GnuTLS Builds to Potential Code Execution
ThreatsDay Bulletin: PAN-OS RCE, Mythos cURL Bug, AI Tokenizer Attacks, and 10+ Stories
18-Year-Old NGINX Rewrite Module Flaw Enables Unauthenticated RCE
On-Prem Microsoft Exchange Server CVE-2026-42897 Exploited via Crafted Email
Cisco Catalyst SD-WAN Controller Auth Bypass Actively Exploited to Gain Admin Access
⚡ Weekly Recap: Linux Rootkit, macOS Crypto Stealer, WebSocket Skimmers and More
New Fragnesia Linux Kernel LPE Grants Root Access via Page Cache Corruption
Hackers Used AI to Develop First Known Zero-Day 2FA Bypass for Mass Exploitation
Microsoft Patches 138 Vulnerabilities, Including DNS and Netlogon RCE Flaws
Mini Shai-Hulud Worm Compromises TanStack, Mistral AI, Guardrails AI and More Packages
Ollama Out-of-Bounds Read Vulnerability Allows Remote Process Memory Leak
Four OpenClaw Flaws Enable Data Theft, Privilege Escalation, and Persistence
cPanel CVE-2026-41940 Under Active Exploitation to Deploy Filemanager Backdoor
Windows Zero-Days Expose BitLocker Bypasses And CTFMON Privilege Escalation
[Webinar] How Modern Attack Paths Cross Code, Pipelines, and Cloud
Microsoft's MDASH AI System Finds 16 Windows Flaws Fixed in Patch Tuesday
Load More ▼
⭐ Featured Resources
[eBook] Get the 3-Number SOC Diagnostic to Reduce Queue Risk
[Guide] Stop Email Fraud Before It Turns Into Ransomware Damage
Identify Internal Attack Surfaces More Efficiently With a Free Assessment
[Webinar] Learn How to Handle Critical SOC Alerts With AI Support