SeppMail
CVE-2026-2743
CRITICAL
Severity by source
CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:H/SI:H/SA:H/E:A/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:Y/R:X/V:X/RE:X/U:X
Primary rating from NVD · only source for this CVE.
CVSS VectorNVD
CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:H/SI:H/SA:H/E:A/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:Y/R:X/V:X/RE:X/U:X
Lifecycle Timeline
5DescriptionCVE.org
Arbitrary File Write via Path Traversal upload to Remote Code Execution in SeppMail User Web Interface. The affected feature is the large file transfer (LFT). This issue affects SeppMail: 15.0.2.1 and before
AnalysisAI
Remote code execution in SeppMail secure email gateway versions 15.0.2.1 and earlier allows unauthenticated attackers to write arbitrary files via path traversal in the Large File Transfer (LFT) feature of the User Web Interface, leading to full system compromise. The flaw carries a maximum CVSS 4.0 score of 10.0 reflecting network-reachable, no-privilege exploitation with scope-changing impact, and was disclosed by InfoGuard Labs alongside CVE-2026-7864, CVE-2026-44127, and CVE-2026-44128. No public exploit identified at time of analysis and EPSS sits at 0.52% (67th percentile), so widespread automated abuse has not yet materialized despite the critical severity.
Technical ContextAI
SeppMail is a Swiss secure email gateway appliance that provides encryption, signing, and secure file exchange; the vulnerable component is the User Web Interface's Large File Transfer (LFT) module, which accepts uploads from end users to share oversized attachments outside normal SMTP limits. The root cause class is CWE-22 (Improper Limitation of a Pathname to a Restricted Directory, i.e. Path Traversal): the upload handler fails to canonicalize or sanitize user-controlled filename or path components, allowing '../' sequences (or equivalent) to escape the intended storage directory and write files to attacker-chosen locations on the underlying filesystem. By placing an executable script, web shell, or configuration file into a location parsed by the web server or a privileged service, the attacker pivots the file write primitive into remote code execution. The affected CPE is cpe:2.3:a:seppmail:seppmail covering all versions up to and including 15.0.2.1.
RemediationAI
Upgrade SeppMail to a version newer than 15.0.2.1 per the vendor release notes at https://downloads.seppmail.com/extrelnotes/150/ERN15.0.html; the InfoGuard Labs advisory at https://labs.infoguard.ch/advisories/seppmail also lists this CVE alongside CVE-2026-7864, CVE-2026-44127, and CVE-2026-44128, so apply the cumulative fixed release that addresses all four issues rather than cherry-picking. Patch available per vendor advisory, but an exact fixed version string is not given in the input data - confirm the target build number directly with SeppMail support before rollout. As compensating controls until patching is complete, restrict access to the User Web Interface (and specifically the LFT upload endpoint) to trusted source networks via firewall or reverse-proxy ACL, disable the Large File Transfer feature in the gateway configuration if it is not in active use (trade-off: end users lose the oversized-attachment workflow), and place the management/user interface behind a VPN or zero-trust proxy that enforces strong authentication; note that disabling LFT does not protect against the other three companion CVEs in the same advisory bundle.
Command injection in SEPPmail Secure Email Gateway before 15.0.1 via PDF encryption password.
SEPPmail Secure Email Gateway versions before 15.0.1 fail to properly validate S/MIME message headers, enabling attacker
Improper filename validation in SEPPmail Secure Email Gateway's GINA web interface (versions before 15.0.1) enables unau
SEPPmail Secure Email Gateway versions prior to 15.0.1 fail to properly isolate decrypted PGP message content from surro
SEPPmail Secure Email Gateway versions before 15.0.1 misinterpret email addresses in message headers, enabling attackers
SEPPmail through 12.1.17 allows command injection within the Admin Portal. Rated medium severity (CVSS 6.0), this vulner
SEPPmail Secure Email Gateway versions before 15.0.1 fail to properly validate S/MIME certificates with whitespace chara
Seppmail versions up to 15.0.1 is affected by improper verification of cryptographic signature (CVSS 5.3).
Seppmail versions up to 15.0.1 is affected by improper verification of cryptographic signature (CVSS 5.3).
Same weakness CWE-22 – Path Traversal
View allShare
External POC / Exploit Code
Leaving vuln.today