Skip to main content

SEPPmail Secure Email Gateway CVE-2026-44126

| EUVDEUVD-2026-28635 CRITICAL
Deserialization of Untrusted Data (CWE-502)
2026-05-08 vulnerability@ncsc.ch GHSA-69wg-m4qc-c3qc
9.2
CVSS 4.0 · NVD
Share

Severity by source

NVD PRIMARY
9.2 CRITICAL
CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X

Primary rating from NVD · only source for this CVE.

CVSS VectorNVD

CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Attack Vector
Network
Attack Complexity
Low
Privileges Required
None
User Interaction
None
Scope
X

Lifecycle Timeline

3
Patch available
May 08, 2026 - 15:17 EUVD
Analysis Generated
May 08, 2026 - 15:00 vuln.today
CVE Published
May 08, 2026 - 14:16 nvd
CRITICAL 9.2

DescriptionCVE.org

SEPPmail Secure Email Gateway before version 15.0.4 insecurely deserializes untrusted data, which can be reached from the new GINA UI and may allow unauthenticated remote attackers to execute code via a crafted serialized object.

AnalysisAI

Remote code execution in SEPPmail Secure Email Gateway via insecure deserialization allows unauthenticated attackers to execute arbitrary code through the GINA UI interface. Versions prior to 15.0.4 deserialize untrusted data without validation, enabling attackers to send crafted serialized objects that execute upon processing. CVSS 9.2 reflects network-accessible attack with low complexity requiring only present attack conditions, though no active exploitation (KEV) or public POC has been identified at time of analysis.

Technical ContextAI

This vulnerability stems from CWE-502 (Deserialization of Untrusted Data), a critical weakness where applications reconstruct objects from serialized data streams without proper validation. SEPPmail Secure Email Gateway's GINA (presumably Gateway Interface/Network Access) UI component processes serialized objects from network sources without implementing integrity checks, type validation, or deserialization filters. When untrusted serialized data is processed by vulnerable deserialization libraries (common in .NET, Java, Python), attackers can manipulate object properties and method calls to achieve arbitrary code execution. The CVSS 4.0 vector indicates network accessibility (AV:N), low attack complexity (AC:L), but requires specific attack conditions to be present (AT:P), suggesting the GINA UI endpoint must be exposed or specific functionality enabled.

RemediationAI

Upgrade immediately to SEPPmail Secure Email Gateway version 15.0.4 or later, as documented in the vendor's security advisory at https://downloads.seppmail.com/extrelnotes/150/ERN15.0.html#security. This version addresses the insecure deserialization vulnerability in the GINA UI component. If immediate patching is not feasible, implement network-level access controls to restrict GINA UI access to trusted administrative networks only, blocking all internet-facing exposure - this significantly reduces attack surface but does not eliminate risk from authenticated users or compromised internal systems. Additionally, deploy web application firewall rules to inspect and block serialized object patterns in requests to GINA UI endpoints, though this compensating control may cause operational disruption and requires careful tuning to avoid blocking legitimate administrative functions. Monitor SEPPmail logs for unusual GINA UI access patterns or deserialization errors as potential exploitation indicators.

Share

CVE-2026-44126 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy