InfoGuard Labs researchers Dario Weiss, Manuel Feifel, and Olivier Becker published a coordinated disclosure on Monday detailing seven vulnerabilities in SEPPmail Secure E-Mail Gateway, a widely deployed enterprise email-encryption and policy appliance. The chain of bugs lets an unauthenticated attacker take full control of the appliance, read every mail flowing through it, and use it as a beachhead into the internal network.
The headliner is CVE-2026-2743, a CVSS 10.0 path-traversal-to-RCE in the User Web Interface’s large file transfer (LFT) feature. Six additional flaws cover auth-bypass, deserialization, eval injection, and template-engine injection — and four of them score 8.8 or higher.
The vulnerabilities
| CVE | CVSS | Type |
|---|---|---|
| CVE-2026-2743 | 10.0 | Path traversal in LFT -> arbitrary file write -> RCE |
| CVE-2026-44125 | 9.3 | Missing authorization on multiple GINA UI endpoints |
| CVE-2026-44128 | 9.3 | Unauthenticated eval injection (Perl) in /api.app/template |
| CVE-2026-44126 | 9.2 | Deserialization of untrusted data -> unauthenticated RCE |
| CVE-2026-44127 | 8.8 | Unauthenticated path traversal in /api.app/attachment/preview |
| CVE-2026-44129 | 8.3 | Template-engine injection (depends on enabled plugins) |
| CVE-2026-7864 | 6.9 | Env-variable disclosure via unauthenticated GINA UI endpoint |
The CVE-2026-2743 exploit chain
The path traversal alone is just arbitrary file write — useful, but the appliance runs the writer as the unprivileged nobody user. The interesting trick is how InfoGuard turned that into a Perl reverse shell:
- Overwrite
/etc/syslog.conf. Thenobodyuser happens to have write access to syslogd’s config file. The traversal lets the attacker drop a malicious config that pipes log lines into a Perl one-liner. - Wait for the SIGHUP. Syslogd only re-reads its config on SIGHUP. The appliance doesn’t expose a way to send SIGHUP directly — but it uses
newsyslogfor log rotation, which runs every 15 minutes via cron and sends SIGHUP automatically when a logfile exceeds its size limit. - Bloat the log.
SEPPMailloghas a 10,000 KB rotation threshold. The researchers filled it by hammering the web interface with requests. Oncenewsyslogrotates and SIGHUPs syslogd, the planted config loads. - Get a Perl-based reverse shell running as the syslogd process. From there: full appliance takeover, persistent C2, and the ability to read all mail traffic.
The 15-minute cron cycle is a soft constraint, not a stopper — the attacker just has to wait one round.
CVE-2026-44128: the easier RCE
For attackers who don’t want to wait for cron, CVE-2026-44128 is more direct. The /api.app/template endpoint passes the user-supplied upldd parameter straight into a Perl eval() with no sanitization. Unauthenticated, single-request RCE. Anyone who’s ever stared at a Perl codebase will recognize the shape immediately.
Impact
SEPPmail is a Swiss vendor with significant deployment across DACH-region enterprises, government, and healthcare. The appliance sits inline with mail flow and holds decryption keys for S/MIME and OpenPGP — meaning a compromised gateway gives an attacker plaintext access to every message that transits it, even when end-users believe encryption is end-to-end. It’s also typically network-positioned with reach into both the DMZ and internal mail infrastructure, making it a high-value pivot.
There are no public reports of active exploitation yet, but the InfoGuard write-up includes enough detail that working exploits should be expected within days.
Mitigation
Patch immediately. SEPPmail shipped fixes in stages:
- CVE-2026-44128 — fixed in 15.0.2.1
- CVE-2026-44126 — fixed in 15.0.3
- All remaining CVEs (including CVE-2026-2743) — fixed in 15.0.4
If you can’t patch to 15.0.4 immediately:
- Block external access to
/api.app/template,/api.app/attachment/preview, and the LFT upload endpoints at your reverse proxy or WAF. - Audit
/etc/syslog.confon the appliance for unexpected entries (anything piping to|perl,|sh, or|/usr/bin/...is suspicious). - Watch for spikes in
SEPPMaillogsize — the disclosed exploit deliberately bloats it to force rotation. - Inspect cron and
newsyslog.conffor tampering.
This disclosure also comes weeks after SEPPmail patched CVE-2026-27441 (CVSS 9.5), an OS command-injection bug. Two critical-severity advisories in a single month is a strong signal to prioritize this appliance in your patch queue and revisit your mail-gateway threat model — particularly the assumption that an inline encryption appliance is trustworthy.