Critical SEPPmail Gateway Flaws Allow RCE Remote Code

The SEPPmail Secure Email Gateway contains critical vulnerabilities that expose organizations to remote code execution (RCE) and potential interception of sensitive email traffic.

Researchers uncovered several high-impact flaws affecting SEPPmail appliances, widely deployed across the DACH region.

The most severe issues include:

• CVE-2026-2743: Pre-authenticated RCE via arbitrary file write in the Large File Transfer (LFT) component.
• CVE-2026-44128: Unauthenticated RCE through Perl code injection.
• CVE-2026-44127: Local File Inclusion (LFI) enabling access to sensitive files and emails.
• CVE-2026-7864: Exposure of sensitive environment variables without authentication.

These vulnerabilities affect versions before the patched releases in the 15.x branch.

SEPPmail Gateway Flaws

Path Traversal to Full RCE

The most critical flaw, CVE-2026-2743, affects the LFT feature used to handle large email attachments.

The backend fails to sanitize user-supplied file paths during uploads, allowing attackers to exploit directory-traversal sequences such as “../”. This enables arbitrary file writes outside the intended directory.

Researchers demonstrated that attackers could overwrite the system file /etc/syslog.conf, which is writable by the low-privileged “nobody” user.

By injecting malicious configuration entries into syslog, attackers can force the system to execute arbitrary commands. For example, a crafted payload can trigger a reverse shell when system logs are processed.

The attack chain is completed when log rotation (via newsyslog) reloads the modified configuration, effectively executing the malicious code without requiring authentication.

GINA V2 Vulnerabilities

The newer GINA V2 web interface introduces additional critical issues:

• Perl Injection (CVE-2026-44128): Unsanitized input passed directly to a Perl eval() function allows full command execution.
• LFI and Arbitrary File Access (CVE-2026-44127): Attackers can read sensitive files, including LDAP databases, emails, and credentials.
• Debug Exposure (CVE-2026-7864): Unauthenticated endpoints leak environment variables, aiding further exploitation.

Notably, some of these endpoints lack proper authentication checks, significantly lowering the barrier for attackers.

Successful exploitation allows attackers to:

• Gain full control over the email gateway.
• Intercept, read, or modify encrypted email traffic.
• Access credentials, keys, and internal communications.
• Establish persistent access within the network.

Because SEPPmail appliances often operate as black-box virtual systems, security teams may have limited visibility into ongoing attacks.

Organizations using SEPPmail should take immediate action:

• Upgrade to the latest patched version (15.0.4 or later, where applicable).
• Disable unused features like LFT and GINA V2 if not required.
• Restrict access to exposed API endpoints.
• Monitor logs for unusual activity or forced log rotations.
• Conduct internal audits for potential compromise.

According to recent research published by Infoguard Labs, even widely trusted secure email solutions can contain critical security flaws.

It also underscores the growing role of AI-assisted vulnerability discovery, which is significantly accelerating both identification and exploitation timelines.

Disclaimer: HackersRadar reports on cybersecurity threats and incidents for informational and awareness purposes only. We do not engage in hacking activities, data exfiltration, or the hosting or distribution of stolen or leaked information. All content is based on publicly available sources.