Severity by source
CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:L/VA:N/SC:H/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Primary rating from NVD · only source for this CVE.
CVSS VectorNVD
CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:L/VA:N/SC:H/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Lifecycle Timeline
7DescriptionCVE.org
SEPPmail Secure Email Gateway before version 15.0.3 allows an attacker to cause attacker-controlled certificates to be used for future encryption to a victim by adding the certificates to S/MIME signatures.
AnalysisAI
SEPPmail Secure Email Gateway before version 15.0.3 allows remote attackers to inject malicious certificates into S/MIME signatures, enabling them to substitute attacker-controlled certificates for future encryption communications with victims. An attacker can exploit this by crafting a specially-formed signed email that embeds unauthorized certificates, which the gateway may then use for subsequent encrypted messages to the targeted recipient, resulting in compromise of encryption confidentiality. No public exploit code or active CISA KEV listing is currently confirmed, but the vulnerability was reported by Swiss national security authority NCSC.ch.
Technical ContextAI
S/MIME (Secure/Multipurpose Internet Mail Extensions) uses digital certificates to sign and encrypt email messages. The vulnerability stems from improper validation of certificates embedded within S/MIME signatures (CWE-295: Improper Certificate Validation). When SEPPmail processes a signed email, it extracts certificates from the signature block to facilitate future encrypted replies. An attacker can craft a malicious S/MIME signature containing their own certificate, which the gateway accepts and stores without proper verification that the certificate legitimately belongs to the claimed sender or that it should be trusted for encryption. The gateway then uses this attacker-supplied certificate for subsequent encryption operations, allowing the attacker to decrypt future communications. The affected product is SEPPmail Secure Email Gateway across all versions before 15.0.3 (CPE: cpe:2.3:a:seppmail:secure_email_gateway:*:*:*:*:*:*:*:*).
RemediationAI
Vendor-released patch: SEPPmail Secure Email Gateway version 15.0.3 and later. Administrators must immediately upgrade all affected SEPPmail deployments to version 15.0.3 or newer. No interim workarounds are documented; complete patching is the only confirmed mitigation. Organizations unable to patch immediately should consult SEPPmail technical support and the official advisory at https://downloads.seppmail.com/extrelnotes/150/ERN15.0.html#seppmail-vulnerability-disclosure-1503 for temporary risk reduction strategies. After patching, administrators should consider audit procedures to verify whether untrusted certificates were injected into existing S/MIME signatures prior to upgrade.
More in Secure Email Gateway
View allSecure Email Gateway from Cellopoint has Buffer Overflow Vulnerability in authentication process. Rated critical severit
A vulnerability in the content scanning and message filtering features of Cisco Secure Email Gateway could allow an unau
The SMTP Listener of Secure Email Gateway from Cellopoint does not properly validate user input, leading to a Buffer Ove
Remote code execution in SEPPmail Secure Email Gateway versions prior to 15.0.2.1 enables unauthenticated attackers to e
Authorization bypass in SEPPmail Secure Email Gateway versions prior to 15.0.4 enables remote unauthenticated attackers
Remote unauthenticated attackers can read arbitrary local files and trigger deletion of targeted files in SEPPmail Secur
SEPPmail Secure Email Gateway before version 15.0.3 allows attackers to bypass subject sanitization and forge security t
SEPPmail Secure Email Gateway before version 15.0.3 fails to properly authenticate inner messages within S/MIME-encrypte
Account takeover in SEPPmail Secure Email Gateway versions before 15.0.3 allows unauthenticated attackers to reset victi
SEPPmail Secure Email Gateway before version 15.0.3 allows remote attackers to bypass subject line sanitization controls
Path traversal in SEPPmail Secure Email Gateway versions before 15.0.5 allows authenticated remote attackers to write fi
SEPPmail Secure Email Gateway before version 15.0.4 exposes server environment variables through an unauthenticated endp
Same weakness CWE-295 – Improper Certificate Validation
View allSame technique Information Disclosure
View allShare
External POC / Exploit Code
Leaving vuln.today
EUVD-2026-18160
GHSA-mmr3-c33j-h2f2