Seppmail
Monthly
Remote code execution in SeppMail secure email gateway versions 15.0.2.1 and earlier allows unauthenticated attackers to write arbitrary files via path traversal in the Large File Transfer (LFT) feature of the User Web Interface, leading to full system compromise. The flaw carries a maximum CVSS 4.0 score of 10.0 reflecting network-reachable, no-privilege exploitation with scope-changing impact, and was disclosed by InfoGuard Labs alongside CVE-2026-7864, CVE-2026-44127, and CVE-2026-44128. No public exploit identified at time of analysis and EPSS sits at 0.52% (67th percentile), so widespread automated abuse has not yet materialized despite the critical severity.
SEPPmail Secure Email Gateway versions before 15.0.1 fail to properly validate S/MIME certificates with whitespace characters in email addresses, enabling attackers to forge digital signatures and impersonate legitimate senders. This integrity bypass affects organizations relying on SEPPmail for secure email validation and could undermine trust in digitally signed communications. No patch is currently available for affected installations.
SEPPmail Secure Email Gateway versions prior to 15.0.1 fail to properly isolate decrypted PGP message content from surrounding plaintext, enabling attackers to access encrypted sensitive information over the network without authentication. This high-severity flaw affects organizations relying on SEPPmail for secure email handling and exposes confidential data despite encryption protections. No patch is currently available for this vulnerability.
Seppmail versions up to 15.0.1 is affected by improper verification of cryptographic signature (CVSS 5.3).
Seppmail versions up to 15.0.1 is affected by improper verification of cryptographic signature (CVSS 5.3).
SEPPmail Secure Email Gateway versions before 15.0.1 misinterpret email addresses in message headers, enabling attackers to spoof sender identities or decrypt encrypted communications due to inconsistent header parsing with standard mail infrastructure. This unauthenticated network-based vulnerability affects all default installations with no available patch, presenting significant risk to organizations relying on the gateway for email security.
SEPPmail Secure Email Gateway versions before 15.0.1 fail to properly validate S/MIME message headers, enabling attackers to forge or manipulate email headers and bypass trust mechanisms without authentication. This allows adversaries to spoof trusted senders or inject malicious headers into encrypted messages, potentially facilitating phishing and social engineering attacks. No patch is currently available for affected installations.
Improper filename validation in SEPPmail Secure Email Gateway's GINA web interface (versions before 15.0.1) enables unauthenticated remote attackers to access arbitrary files on the gateway through specially crafted encrypted email attachments. This path traversal vulnerability affects the confidentiality of sensitive data stored on affected systems. No patch is currently available.
Command injection in SEPPmail Secure Email Gateway before 15.0.1 via PDF encryption password.
SEPPmail through 12.1.17 allows command injection within the Admin Portal. Rated medium severity (CVSS 6.0), this vulnerability is remotely exploitable. No vendor patch available.
Remote code execution in SeppMail secure email gateway versions 15.0.2.1 and earlier allows unauthenticated attackers to write arbitrary files via path traversal in the Large File Transfer (LFT) feature of the User Web Interface, leading to full system compromise. The flaw carries a maximum CVSS 4.0 score of 10.0 reflecting network-reachable, no-privilege exploitation with scope-changing impact, and was disclosed by InfoGuard Labs alongside CVE-2026-7864, CVE-2026-44127, and CVE-2026-44128. No public exploit identified at time of analysis and EPSS sits at 0.52% (67th percentile), so widespread automated abuse has not yet materialized despite the critical severity.
SEPPmail Secure Email Gateway versions before 15.0.1 fail to properly validate S/MIME certificates with whitespace characters in email addresses, enabling attackers to forge digital signatures and impersonate legitimate senders. This integrity bypass affects organizations relying on SEPPmail for secure email validation and could undermine trust in digitally signed communications. No patch is currently available for affected installations.
SEPPmail Secure Email Gateway versions prior to 15.0.1 fail to properly isolate decrypted PGP message content from surrounding plaintext, enabling attackers to access encrypted sensitive information over the network without authentication. This high-severity flaw affects organizations relying on SEPPmail for secure email handling and exposes confidential data despite encryption protections. No patch is currently available for this vulnerability.
Seppmail versions up to 15.0.1 is affected by improper verification of cryptographic signature (CVSS 5.3).
Seppmail versions up to 15.0.1 is affected by improper verification of cryptographic signature (CVSS 5.3).
SEPPmail Secure Email Gateway versions before 15.0.1 misinterpret email addresses in message headers, enabling attackers to spoof sender identities or decrypt encrypted communications due to inconsistent header parsing with standard mail infrastructure. This unauthenticated network-based vulnerability affects all default installations with no available patch, presenting significant risk to organizations relying on the gateway for email security.
SEPPmail Secure Email Gateway versions before 15.0.1 fail to properly validate S/MIME message headers, enabling attackers to forge or manipulate email headers and bypass trust mechanisms without authentication. This allows adversaries to spoof trusted senders or inject malicious headers into encrypted messages, potentially facilitating phishing and social engineering attacks. No patch is currently available for affected installations.
Improper filename validation in SEPPmail Secure Email Gateway's GINA web interface (versions before 15.0.1) enables unauthenticated remote attackers to access arbitrary files on the gateway through specially crafted encrypted email attachments. This path traversal vulnerability affects the confidentiality of sensitive data stored on affected systems. No patch is currently available.
Command injection in SEPPmail Secure Email Gateway before 15.0.1 via PDF encryption password.
SEPPmail through 12.1.17 allows command injection within the Admin Portal. Rated medium severity (CVSS 6.0), this vulnerability is remotely exploitable. No vendor patch available.