Severity by source
CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Primary rating from NVD · only source for this CVE.
CVSS VectorNVD
CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Lifecycle Timeline
3DescriptionCVE.org
SEPPmail Secure Email Gateway before version 15.0.4 insecurely deserializes untrusted data, which can be reached from the new GINA UI and may allow unauthenticated remote attackers to execute code via a crafted serialized object.
AnalysisAI
Remote code execution in SEPPmail Secure Email Gateway via insecure deserialization allows unauthenticated attackers to execute arbitrary code through the GINA UI interface. Versions prior to 15.0.4 deserialize untrusted data without validation, enabling attackers to send crafted serialized objects that execute upon processing. CVSS 9.2 reflects network-accessible attack with low complexity requiring only present attack conditions, though no active exploitation (KEV) or public POC has been identified at time of analysis.
Technical ContextAI
This vulnerability stems from CWE-502 (Deserialization of Untrusted Data), a critical weakness where applications reconstruct objects from serialized data streams without proper validation. SEPPmail Secure Email Gateway's GINA (presumably Gateway Interface/Network Access) UI component processes serialized objects from network sources without implementing integrity checks, type validation, or deserialization filters. When untrusted serialized data is processed by vulnerable deserialization libraries (common in .NET, Java, Python), attackers can manipulate object properties and method calls to achieve arbitrary code execution. The CVSS 4.0 vector indicates network accessibility (AV:N), low attack complexity (AC:L), but requires specific attack conditions to be present (AT:P), suggesting the GINA UI endpoint must be exposed or specific functionality enabled.
RemediationAI
Upgrade immediately to SEPPmail Secure Email Gateway version 15.0.4 or later, as documented in the vendor's security advisory at https://downloads.seppmail.com/extrelnotes/150/ERN15.0.html#security. This version addresses the insecure deserialization vulnerability in the GINA UI component. If immediate patching is not feasible, implement network-level access controls to restrict GINA UI access to trusted administrative networks only, blocking all internet-facing exposure - this significantly reduces attack surface but does not eliminate risk from authenticated users or compromised internal systems. Additionally, deploy web application firewall rules to inspect and block serialized object patterns in requests to GINA UI endpoints, though this compensating control may cause operational disruption and requires careful tuning to avoid blocking legitimate administrative functions. Monitor SEPPmail logs for unusual GINA UI access patterns or deserialization errors as potential exploitation indicators.
Same weakness CWE-502 – Deserialization of Untrusted Data
View allSame technique Deserialization
View allShare
External POC / Exploit Code
Leaving vuln.today
EUVD-2026-28635
GHSA-69wg-m4qc-c3qc