SEPPMail Secure E-Mail Gateway Vulnerabilities Enable RCE and Mail Traffic Access

Severity
Medium

Detail

Security researchers have disclosed multiple critical vulnerabilities in the SEPPMail Secure E-Mail Gateway, an enterprise email security and encryption solution, that could allow attackers to achieve remote code execution (RCE) and access sensitive email traffic stored on the appliance.

The flaws were identified by researchers from InfoGuard Labs, including Dario Weiss, Manuel Feifel, and Olivier Becker. According to their findings, successful exploitation could allow attackers to read all email traffic passing through the gateway or use the device as a foothold to infiltrate internal networks.

A total of seven vulnerabilities were reported, including critical path traversal, deserialization, template injection, and eval injection flaws. The most severe issues include CVE-2026-2743, a CVSS 10.0 path traversal vulnerability in the large file transfer (LFT) feature that can lead to arbitrary file writes and remote code execution, and CVE-2026-44126, a deserialization flaw allowing unauthenticated attackers to execute code by sending crafted objects. Other issues include unauthenticated API access, sensitive information disclosure, and improper template handling that could all contribute to full system compromise.

One of the attack paths described by researchers shows how CVE-2026-2743 could be used to overwrite system configuration files such as /etc/syslog.conf, potentially leading to execution of malicious code through syslog behavior. Attackers could exploit the system’s log rotation mechanism, where oversized log files trigger automatic rotation every 15 minutes via newsyslog, which in turn sends a SIGHUP signal causing syslogd to reload its configuration. By deliberately inflating log files through repeated web requests, attackers can force this cycle and trigger malicious configuration reloads.

How?

The attack chain begins with an unauthenticated attacker targeting exposed SEPPMail gateway services over the network. By exploiting path traversal or deserialization vulnerabilities, the attacker gains the ability to write or execute files on the underlying appliance system.

In the most severe scenario, the attacker abuses the LFT file transfer feature (CVE-2026-2743) to place or overwrite system-critical files. Using the restricted “nobody” user’s write permissions, they can manipulate configuration files such as syslog settings. Once the system logs grow beyond a threshold (10,000 KB in this case), automatic log rotation is triggered. This causes newsyslog to execute, which sends a SIGHUP signal to syslogd, forcing it to reload its configuration and inadvertently execute attacker-controlled settings.

Other vulnerabilities, such as CVE-2026-44128, allow attackers to inject code directly into Perl eval() functions, while CVE-2026-44129 enables exploitation of template engines to execute arbitrary template expressions. Combined with missing authorization checks (CVE-2026-44125) and information disclosure flaws (CVE-2026-7864), attackers can chain these issues to escalate from unauthenticated access to full remote code execution on the gateway.

Once compromised, the attacker gains the ability to intercept, read, modify, or exfiltrate all emails passing through the SEPPMail appliance, as well as establish persistent access within the organization’s internal network.

Conclusion

The SEPPMail Secure E-Mail Gateway vulnerabilities represent a high-impact security risk because they affect a central component in enterprise email infrastructure. The combination of unauthenticated access flaws, code injection vectors, and file traversal issues makes it possible for attackers to fully compromise the system without valid credentials.

Although patches have been released in versions 15.0.2.1, 15.0.3, and 15.0.4 depending on the vulnerability, unpatched systems remain highly exposed to exploitation. Organizations using SEPPMail are strongly advised to upgrade immediately, restrict external access to administrative interfaces, and monitor gateway logs for signs of suspicious file uploads or abnormal log growth patterns.

Source

https://thehackernews.com/2026/05/seppmail-secure-e-mail-gateway.html