Skip to main content

SEPPmail CVE-2026-8811

| EUVDEUVD-2026-37866 HIGH
Path Traversal (CWE-22)
2026-06-18 NCSC.ch GHSA-hp2p-h743-jhv4
7.1
CVSS 4.0 · Vendor: NCSC.ch
Share

Severity by source

Vendor (NCSC.ch) PRIMARY
7.1 HIGH
CVSS:4.0/AV:N/AC:L/AT:P/PR:L/UI:N/VC:N/VI:H/VA:L/SC:N/SI:H/SA:L/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
vuln.today AI
5.9 MEDIUM

Network-delivered via email but requires the gateway to invoke PDF encryption on a crafted attachment (AC:H), some processing privilege (PR:L), arbitrary file write yields high integrity and low availability impact, no confidentiality loss.

3.1 AV:N/AC:H/PR:L/UI:N/S:U/C:N/I:H/A:L
4.0 AV:N/AC:L/AT:P/PR:L/UI:N/VC:N/VI:H/VA:L/SC:N/SI:H/SA:L

Primary rating from Vendor (NCSC.ch).

CVSS VectorVendor: NCSC.ch

CVSS:4.0/AV:N/AC:L/AT:P/PR:L/UI:N/VC:N/VI:H/VA:L/SC:N/SI:H/SA:L/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Attack Vector
Network
Attack Complexity
Low
Privileges Required
Low
User Interaction
None
Scope
X

Lifecycle Timeline

2
Patch available
Jun 18, 2026 - 11:16 EUVD
Analysis Generated
Jun 18, 2026 - 09:47 vuln.today

DescriptionCVE.org

SEPPmail versions before 15.0.5 allow improper handling of attachment filenames during encrypted PDF generation. An attacker can exploit this to create new files outside the intended directory, potentially placing files in web-accessible locations.

AnalysisAI

Path traversal in SEPPmail Secure Email Gateway versions before 15.0.5 allows authenticated remote attackers to write files outside the intended directory by manipulating attachment filenames processed during encrypted PDF generation. Files can be placed in web-accessible locations, enabling potential webshell deployment and integrity compromise. …

Unlock full vulnerability intelligence

  • Risk assessment & exploitation conditions
  • Attack chain visualization
  • Remediation with exact patch versions
  • Threat intelligence from 22 sources
  • Personal watchlist & email alerts

Free forever · No credit card required

Attack ChainAIDerived

Hypothetical attack flow derived from CVE metadata

Recon
Identify SEPPmail-protected recipient
Delivery
Send email with traversal-named attachment
Exploit
Gateway invokes encrypted-PDF generation
Install
Filename written outside intended directory
C2
File lands in web-accessible path
Execute
Retrieve planted file over HTTPS
Impact
Use for content control or follow-on access

Vulnerability AssessmentAI

Exploitation Exploitation requires the SEPPmail Secure Email Gateway to be processing an attachment through its encrypted-PDF generation feature, so the attacker must be able to deliver an email with a maliciously named attachment to a recipient whose mail flow triggers PDF encryption on the gateway, and the CVSS 4.0 vector indicates PR:L plus an attack requirement (AT:P), meaning some prerequisite condition in the message-processing pipeline must be met rather than pure unauthenticated remote exploitation. … Additional conditions and limiting factors are described in the full assessment.
Risk Assessment The CVSS 4.0 vector (AV:N/AC:L/AT:P/PR:L/UI:N/VC:N/VI:H/VA:L/SC:N/SI:H/SA:L) scores 7.1 and indicates a network-reachable flaw with low attack complexity but a 'Present' attack requirement (AT:P) and low privileges (PR:L), so exploitation depends on specific email-processing conditions and some level of authenticated/system access rather than being a trivial drive-by. … Full risk analysis with EPSS, KEV, and SSVC signal comparison available after sign-in.
Exploit Scenario An attacker sends an email to a SEPPmail-protected recipient with an attachment whose filename contains directory-traversal sequences; when the gateway generates the encrypted-PDF representation of that attachment, the crafted filename causes the output file to be written into a directory served by the appliance's web interface. The attacker then requests that file over HTTP/HTTPS - for example, a planted script or HTML payload - to achieve content placement, defacement, or webshell-style follow-on access. …
Remediation Vendor-released patch: SEPPmail 15.0.5 - upgrade all SEPPmail Secure Email Gateway instances to 15.0.5 or later as documented in the vendor release notes at https://downloads.seppmail.com/extrelnotes/150/ERN15.0.html#possible-path-traversal-vulnerability. … Detailed patch versions, workarounds, and compensating controls in full report.

Recommended ActionAI

Within 24 hours: identify all deployed SEPPmail instances and document current versions. …

Sign in for detailed remediation steps and compensating controls.

Threat intelligence, references, and detailed analysis are available after sign-in.

CVE-2024-9043 CRITICAL
9.8 Sep 20

Secure Email Gateway from Cellopoint has Buffer Overflow Vulnerability in authentication process. Rated critical severit

CVE-2024-20401 CRITICAL
9.8 Jul 17

A vulnerability in the content scanning and message filtering features of Cisco Secure Email Gateway could allow an unau

CVE-2024-6744 CRITICAL
9.8 Jul 15

The SMTP Listener of Secure Email Gateway from Cellopoint does not properly validate user input, leading to a Buffer Ove

CVE-2026-44128 CRITICAL
9.3 May 08

Remote code execution in SEPPmail Secure Email Gateway versions prior to 15.0.2.1 enables unauthenticated attackers to e

CVE-2026-44125 CRITICAL
9.3 May 08

Authorization bypass in SEPPmail Secure Email Gateway versions prior to 15.0.4 enables remote unauthenticated attackers

CVE-2026-44127 HIGH
8.8 May 08

Remote unauthenticated attackers can read arbitrary local files and trigger deletion of targeted files in SEPPmail Secur

CVE-2026-29144 HIGH
7.8 Apr 02

SEPPmail Secure Email Gateway before version 15.0.3 allows attackers to bypass subject sanitization and forge security t

CVE-2026-29143 HIGH
7.8 Apr 02

SEPPmail Secure Email Gateway before version 15.0.3 fails to properly authenticate inner messages within S/MIME-encrypte

CVE-2026-29139 HIGH
7.8 Apr 02

Account takeover in SEPPmail Secure Email Gateway versions before 15.0.3 allows unauthenticated attackers to reset victi

CVE-2026-29141 HIGH
7.7 Apr 02

SEPPmail Secure Email Gateway before version 15.0.3 allows remote attackers to bypass subject line sanitization controls

CVE-2026-29140 HIGH
7.7 Apr 02

SEPPmail Secure Email Gateway before version 15.0.3 allows remote attackers to inject malicious certificates into S/MIME

CVE-2026-7864 MEDIUM
6.9 May 08

SEPPmail Secure Email Gateway before version 15.0.4 exposes server environment variables through an unauthenticated endp

Share

CVE-2026-8811 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy