SEPPMAIL Secure E-Mail Gateway has disclosed critical vulnerabilities that could allow remote code execution and reading of arbitrary mail from the appliance, potentially giving attackers access to all mail traffic and a foothold inside the network according to InfoGuard Labs.
The flaws include CVE-2026-2743 (CVSS 10.0), a path traversal in the Large File Transfer feature that could enable arbitrary file writes and remote code execution; CVE-2026-7864 (CVSS 6.9), exposing environment variables through an unauthenticated endpoint in the new GINA UI; CVE-2026-44125 (CVSS 9.3), a missing authorization check for multiple endpoints; CVE-2026-44126 (CVSS
9.2), deserialization of untrusted data; CVE-2026-44127 (CVSS 8.8), an unauthenticated path traversal in /api[.]app/attachment/preview; CVE-2026-44128 (CVSS 9.3), an eval injection via an unsanitised parameter; and CVE-2026-44129 (CVSS 8.3), improper neutralisation of template elements. In a hypothetical attack, CVE-2026-2743 could be used to overwrite syslog configuration to trigger a Perl-based reverse shell, enabling a full takeover of the SEPPmail appliance and indefinite persistence.
Some fixes are already in place: CVE-2026-44128 was addressed by version 15.0.2[.]1, CVE-2026-44126 by 15.0.3, and the remaining issues have been patched in 15.0.4, with earlier updates shipping to resolve CVE-2026-27441, a separate critical flaw. The disclosure highlights the importance of timely upgrades to mitigate exposure of mail traffic and internal network access.