Critical SEPPmail Gateway flaws could allow code execution and mail access

SEPPmail Secure E-Mail Gateway users should patch immediately after researchers disclosed critical vulnerabilities that could allow remote code execution, file access, and exposure of sensitive email traffic.

InfoGuard Labs said the flaws affect SEPPmail appliances used for encrypted email, especially in the DACH region. In the worst case, attackers could take over the gateway, read mail traffic handled by the appliance, and use the system as an entry point into internal networks.

The most serious issues include a Large File Transfer flaw that can lead to remote code execution and several GINA V2 web interface bugs that expose files, environment data, and code execution paths.

What happened

InfoGuard Labs audited the SEPPmail Secure E-Mail Gateway virtual appliance and found several high-impact vulnerabilities in exposed web components. The research focused on exploitable critical issues in the user-facing interface, Large File Transfer feature, and newer GINA V2 interface.

The vendor has released fixes across the 15.0.x branch. Administrators should update to the latest available 15.0 release, with 15.0.4 or later needed to address the full set of issues highlighted in the recent research.

Security teams should not treat this as a routine web bug. Email gateways handle sensitive communications, encryption workflows, attachments, credentials, and trusted traffic between external users and internal systems.

CVE	Issue	Impact	Fixed version
CVE-2026-2743	Path traversal in Large File Transfer	Arbitrary file write leading to RCE	15.0.4
CVE-2026-7864	Unauthenticated sensitive information exposure	Environment data leak	15.0.4
CVE-2026-44125	Missing authorization in GINA V2	Access to protected functionality	15.0.4
CVE-2026-44126	Insecure deserialization	Unauthenticated code execution	15.0.3
CVE-2026-44127	Local file inclusion and arbitrary file deletion	File access and deletion	15.0.4
CVE-2026-44128	Perl eval injection	Unauthenticated remote code execution	15.0.2.1
CVE-2026-44129	Server-side template injection	Potential code execution depending on enabled plugins	15.0.4

Why the Large File Transfer flaw is critical

CVE-2026-2743 affects the Large File Transfer feature, which handles large attachment uploads. The vulnerable backend did not properly restrict user-controlled file paths during upload handling.

That path traversal weakness can allow an attacker to write files outside the intended upload directory. InfoGuard showed that this condition could be chained into remote code execution on the SEPPmail appliance.

The issue received a critical severity rating because attackers can reach the vulnerable component over the network and do not need prior authentication in the documented attack path.

GINA V2 introduced several additional risks

The newer GINA V2 interface also contained several serious flaws. These included missing authorization checks, sensitive information exposure, local file inclusion, insecure deserialization, server-side template injection, and Perl code injection.

CVE-2026-44128 is one of the most serious GINA V2 bugs because it allows unauthenticated remote code execution through unsafe handling of user-controlled input passed to Perl evaluation logic.

CVE-2026-44127 also raises major concern because it can allow unauthenticated attackers to read arbitrary local files and trigger deletion of files within the permissions of the affected process.

• Remote code execution through Large File Transfer path traversal.
• Remote code execution through unsafe Perl evaluation in GINA V2.
• Possible code execution through insecure deserialization.
• Local file inclusion and arbitrary file deletion.
• Unauthenticated exposure of sensitive environment data.
• Missing authorization checks on GINA V2 endpoints.
• Server-side template injection with potential code execution impact.

Why email gateways make attractive targets

Secure email gateways sit in a sensitive position. They process inbound and outbound messages, attachments, encryption flows, webmail access, and user authentication workflows.

If an attacker compromises one of these appliances, the impact can go beyond one server. A gateway may expose mail traffic, internal metadata, credentials, attachments, and trusted network paths.

InfoGuard warned that the vulnerabilities could have been used to read all mail traffic or as an entry vector into an internal network. That makes rapid patching important for any organization that uses SEPPmail in production.

Potential impact on organizations

A successful attack could give an intruder control over the SEPPmail appliance. From there, the attacker may be able to inspect emails, access sensitive files, modify gateway behavior, or maintain persistence.

The risk increases because email security appliances often operate like black-box infrastructure. Many organizations patch and monitor them less aggressively than standard servers.

Administrators should assume that an exposed, outdated appliance may attract automated scanning after public disclosure. They should also check whether risky features such as LFT or GINA V2 remain enabled when not needed.

Risk	Why it matters
Remote code execution	Attackers may run commands on the appliance and gain control over gateway behavior.
Mail access	Attackers may read sensitive email traffic handled by the gateway.
Credential exposure	Environment variables, files, and configuration data may reveal secrets.
Internal network access	A compromised gateway may become a foothold for deeper intrusion.
Low visibility	Virtual appliances can be harder to inspect than standard workloads.

What administrators should patch

Organizations should update SEPPmail Secure E-Mail Gateway to the latest patched 15.0.x version available from the vendor. Version 15.0.4 fixes several of the newly highlighted vulnerabilities, including CVE-2026-2743, CVE-2026-44127, CVE-2026-44129, CVE-2026-44125, and CVE-2026-7864.

SEPPmail release notes also show related security fixes across the 15.0.x branch. Teams that patched only to 15.0.2.1 or 15.0.3 should verify whether they still need 15.0.4 or later for the remaining issues.

Administrators should also review whether the appliance has internet-facing user portals, Large File Transfer enabled, or GINA V2 endpoints exposed to untrusted users.

Recommended response steps

Patching should come first, but it should not be the only response. Because these flaws affect email gateways, security teams should also review logs, files, configuration changes, and unusual mail access patterns.

Teams should preserve evidence before major cleanup when they suspect compromise. That includes appliance logs, web access records, mail processing logs, authentication events, and system configuration snapshots.

Organizations should also consider resetting exposed credentials if logs show suspicious file access, command execution, or unusual administrative behavior.

1. Identify all SEPPmail Secure E-Mail Gateway appliances and record their versions.
2. Upgrade affected systems to the latest patched 15.0.x release.
3. Confirm that version 15.0.4 or later has been applied where relevant.
4. Disable Large File Transfer if the organization does not need it.
5. Disable or restrict GINA V2 if it is not required.
6. Restrict access to user-facing and administrative interfaces through firewalls or VPNs.
7. Review web logs for unusual upload activity, file preview requests, and GINA V2 endpoint access.
8. Check for unexpected changes to system configuration and log rotation behavior.
9. Audit email access patterns for unusual reads, downloads, or forwarding behavior.
10. Rotate credentials if compromise cannot be ruled out.

What defenders should monitor

Security teams should look for signs that attackers attempted file writes, local file reads, or code execution through SEPPmail web components. Suspicious activity may not look like a normal login event because several issues involve unauthenticated access.

Teams should also monitor for abnormal mail traffic access. The gateway’s role in encrypted email workflows means data exposure may involve message stores, attachments, webmail content, or gateway-managed files.

Because some attack paths can involve configuration changes, defenders should verify appliance integrity and compare current settings against known-good backups.

Area to review	What to check
Web access logs	Unexpected access to LFT and GINA V2 endpoints.
Upload behavior	Unusual attachment upload patterns or failed file handling errors.
File access	Unexpected reads of local files or message-related storage.
System configuration	Unauthorized changes to logging, templates, or gateway settings.
Mail handling	Unusual message access, downloads, forwarding, or delivery changes.

Why this disclosure matters

The SEPPmail findings show how security products can become high-value attack surfaces. A gateway built to protect email can also become a powerful target if exposed web components contain critical flaws.

The research also shows why organizations need strong visibility into appliances. Virtual gateways, secure mail systems, and managed security tools still need patching, logging, and incident response coverage.

For SEPPmail customers, the action plan is straightforward. Patch to the latest fixed version, reduce exposed features, review logs for suspicious activity, and treat any outdated internet-facing gateway as a high-priority risk.

FAQ