Critical security vulnerabilities have been disclosed in **SEPPMail Secure E-Mail Gateway**, an enterprise-grade email security solution. These flaws could be exploited to achieve remote code execution and enable an attacker to read arbitrary emails from the virtual appliance. "These vulnerabilities could have been exploited to read all mail traffic or as an entry vector into the internal network," **InfoGuard Labs** researchers Dario Weiss, Manuel Feifel, and Olivier Becker said in a recent report. ### Vulnerability Details The list of identified flaws is as follows: * **CVE-2026-2743** (CVSS score: 10.0) - A path traversal vulnerability in the SeppMail User Web Interface's large file transfer (LFT) feature that could enable arbitrary file write, resulting in remote code execution. * **CVE-2026-7864** (CVSS score: 6.9) - An exposure of sensitive system information vulnerability that leaks server environment variables through an unauthenticated endpoint in the new GINA UI. * **CVE-2026-44125** (CVSS score: 9.3) - A missing authorization check vulnerability for multiple endpoints in the new GINA UI that allows unauthenticated remote attackers to access functionality that would otherwise require a valid session. * **CVE-2026-44126** (CVSS score: 9.2) - A deserialization of untrusted data vulnerability that allows unauthenticated remote attackers to execute code via a crafted serialized object. * **CVE-2026-44127** (CVSS score: 8.8) - An unauthenticated path traversal vulnerability in "/api.app/attachment/preview" that allows remote attackers to read arbitrary local files and trigger deletion of files in the targeted directory with the privileges of the "api.app" process. * **CVE-2026-44128** (CVSS score: 9.3) - An eval injection vulnerability that allows unauthenticated remote code execution by taking advantage of the fact that the /api.app/template feature directly passes user-supplied upldd parameter into a Perl eval() statement without any sanitization. * **CVE-2026-44129** (CVSS score: 8.3) - An improper neutralization of special elements used in a template engine vulnerability that allows remote attackers to execute arbitrary template expressions and potentially achieve remote code execution depending on the enabled template plugins. ### Attack Scenario In a hypothetical attack scenario, a threat actor could exploit **CVE-2026-2743** to overwrite the system's syslog configuration ("/etc/syslog.conf") by leveraging the "nobody" user's write access to the file, ultimately obtaining a Perl-based reverse shell. This would result in a complete takeover of the SEPPmail appliance, permitting the attacker to read all mail traffic and maintain persistence on the gateway. One hurdle for attackers is that `syslogd` re-reads the configuration only upon receiving the **SIGHUP** signal. Syslogd is a Linux system daemon responsible for writing system messages to log files or a user's terminal. "The appliance uses newsyslog for log rotation (e.g., leading to logfile.0), which runs every 15 minutes via cron," the researchers explained. "newsyslog rotates files that exceed a size limit and then automatically sends a SIGHUP to syslogd. By bloating log files like SEPPMaillog, which has a 10,000 KB limit in this case, we can force a rotation and a subsequent config reload. These can be filled by just sending web requests." ### Remediation While **CVE-2026-44128** was reportedly fixed by version 15.0.2.1, **CVE-2026-44126** was addressed with the release of version 15.0.3. The remaining vulnerabilities have been patched in version 15.0.4. Users are strongly advised to update to the latest version of **SEPPMail Secure E-Mail Gateway**. This disclosure follows shortly after SEPPmail released updates to address another critical flaw (**CVE-2026-27441**, CVSS score: 9.5) that could allow arbitrary operating system command execution.