Kritische Schwachstellen im SEPP-Mail-Gateway ermöglichen Fernausführung von Code und Diebstahl von E-Mail-Datenverkehr

The most severe issues include: CVE-2026-2743: Pre-authenticated RCE via arbitrary file write in the Large File Transfer (LFT) component. CVE-2026-44128: Unauthenticated RCE through Perl code injection. CVE-2026-44127: Local File Inclusion (LFI) enabling access to sensitive files and emails.

CVE-2026-7864: Exposure of sensitive environment variables without authentication. These vulnerabilities affect versions before the patched releases in the 15.x branch. SEPPmail Gateway Flaws Path Traversal Full RCE The most critical flaw, CVE-2026-2743, affects the LFT feature used to handle large email attachments.

The backend fails to sanitize user-supplied file paths during uploads, allowing attackers to exploit directory-traversal sequences such as “../”. This enables arbitrary file writes outside the intended directory.

Einordnung fuer Autofahrer

Researchers demonstrated that attackers could overwrite the system file /etc/syslog.conf, which is writable “nobody” user. into syslog, attackers can force the system to execute arbitrary commands. For example, a crafted payload can trigger a reverse shell when system logs are processed.

The attack chain is completed when log rotation (via newsyslog) reloads the modified configuration, effectively executing the malicious code without requiring authentication.

GINA V2 Vulnerabilities The newer GINA V2 web interface introduces additional critical issues: Perl Injection (CVE-2026-44128): Unsanitized input passed directly to Perl eval() function allows full command execution. LFI and Arbitrary File Access (CVE-2026-44127): Attackers can read sensitive files, including LDAP databases, emails, and credentials.

Sicherheitslage und Risiko

Debug Exposure (CVE-2026-7864): Unauthenticated endpoints leak environment variables, aiding further exploitation. Notably, some of these endpoints lack proper authentication checks, significantly lowering the barrier for attackers. Successful exploitation allows attackers to: Gain full control over the email gateway.

Intercept, read, or modify encrypted email traffic. Access credentials, keys, and internal communications. Establish persistent access within the network. Because SEPPmail appliances often operate as black-box virtual systems, security teams may have limited visibility into ongoing attacks.

Organizations using SEPPmail should take immediate action: Upgrade to the latest patched version (15.0.4 or later, where applicable). Disable unused features like LFT and GINA V2 if not required. Restrict access to exposed API endpoints. Monitor logs for unusual activity or forced log rotations. Conduct internal audits for potential compromise.

According to recent research published, even widely trusted secure email solutions can contain critical security flaws. It also underscores the growing role of AI-assisted vulnerability discovery, which is significantly accelerating both identification and exploitation timelines. Abi is Security Editor and fellow reporter with