InfoGuard Labs uncovered a chain of high‑severity bugs in SEMMail’s Secure E‑Mail Gateway that let unauthenticated attackers write files, execute Perl code and read arbitrary mail. Patches arrived in version 15.0.4, and administrators should verify updates, tighten network segmentation and monitor for abuse of the LFT and API endpoints.
)
SEPPMail Secure E‑Mail Gateway – a popular on‑premise appliance that inspects inbound and outbound mail – was found to contain a suite of critical vulnerabilities that together enable a full takeover of the device. InfoGuard Labs researchers Dario Weiss, Manuel Feifel and Olivier Becker detailed the flaws in a report released on May 19, 2026. The bugs span path traversal, unauthenticated API abuse, unsafe deserialization and an eval injection that together give an attacker the ability to execute code, read any stored message and persist on the gateway.
The vulnerability set
| CVE | CVSS | Core issue |
|---|---|---|
| CVE‑2026‑2743 | 10.0 | Path traversal in the Large File Transfer (LFT) UI allows arbitrary file write. |
| CVE‑2026‑7864 | 6.9 | Unauthenticated endpoint in the new GINA UI leaks server environment variables. |
| CVE‑2026‑44125 | 9.3 | Missing authorization checks on several GINA UI endpoints expose privileged functions. |
| CVE‑2026‑44126 | 9.2 | Deserialization of untrusted data via a crafted object leads to code execution. |
| CVE‑2026‑44127 | 8.8 | Path traversal in /api.app/attachment/preview lets attackers read or delete files owned by the api.app process. |
| CVE‑2026‑44128 | 9.3 | Eval injection – the upldd parameter is fed directly into a Perl eval() without sanitization. |
| CVE‑2026‑44129 | 8.3 | Template engine injection that can run arbitrary expressions depending on enabled plugins. |
The most dangerous chain starts with CVE‑2026‑2743. By abusing the LFT feature, an attacker can write to any path the nobody user can touch – for example /etc/syslog.conf. Overwriting the syslog configuration to point at a malicious script gives a reverse shell once the daemon reloads its config.
Why the reload matters
syslogd only rereads its configuration after receiving a SIGHUP signal. SEPPMail’s appliance uses newsyslog for log rotation, which runs every 15 minutes via cron. When a log file exceeds its size limit (10 MiB for SEPPMail.log), newsyslog rotates the file and automatically sends SIGHUP to syslogd. An attacker can force this rotation by flooding the web interface with requests that generate log entries, effectively triggering a config reload and executing the planted payload.
Expert context
“The combination of unauthenticated file write and a predictable log‑rotation trigger creates a low‑effort path to a full system compromise,” said Dario Weiss, senior researcher at InfoGuard Labs. “Even without the LFT bug, the series of missing auth checks in the GINA UI would let an attacker enumerate internal configuration and harvest credentials.”
Manuel Feifel added that the eval injection (CVE‑2026‑44128) is particularly nasty because Perl’s eval runs with the same privileges as the web process, which on the appliance is a privileged system account. “A single crafted request can spawn a reverse shell without any prior foothold,” he explained.
Olivier Becker highlighted the broader impact: “An attacker who reads mail traffic can harvest authentication tokens, phishing templates and internal communication, giving them a foothold for lateral movement inside the corporate network.”
Practical advice for defenders
- Apply the patches immediately – Versions 15.0.2.1 (fixes CVE‑2026‑44128), 15.0.3 (fixes CVE‑2026‑44126) and 15.0.4 (covers the remaining flaws) are available on the SEPPMail download portal. Verify the installed version via the appliance’s CLI:
seppmail --version. - Restrict network exposure – Place the gateway behind a dedicated VLAN and allow only the mail‑relay ports (25, 587, 465) and the management UI (usually 443) from trusted IP ranges. Block any direct Internet access to the LFT endpoint.
- Enable strict logging limits – Reduce the log‑file size threshold to a few megabytes and configure newsyslog to rotate more frequently. This makes the forced‑rotation technique harder to exploit.
- Monitor for anomalous API calls – Look for repeated requests to
/api.app/attachment/previewor theuplddparameter. A spike in 404/500 responses from the LFT UI is a strong indicator of probing. - Enforce least‑privilege for the
nobodyuser – Audit file permissions on the appliance; thenobodyaccount should not be able to write to configuration directories such as/etc/. - Deploy a web‑application firewall (WAF) – A rule that blocks request bodies containing
eval(or serialized object patterns can stop the exploit before it reaches the backend. - Regularly rotate credentials – After patching, rotate any service accounts or API keys that were stored in mail headers or body content, as they may have been exposed.
What to watch for in the wild
- Spam campaigns that include large file‑transfer payloads targeting the LFT endpoint.
- DNS queries for
seppmail-update.com– a domain observed in early proof‑of‑concept exploits that fetched malicious Perl scripts. - Unexpected syslog entries indicating a SIGHUP reload followed by a new process launch.
If you see any of these indicators, isolate the appliance, capture a forensic image and engage the vendor’s incident‑response team.
Looking ahead
The SEPPMail incident underscores the risk of exposing complex management interfaces on appliances that run with elevated privileges. Security teams should treat any on‑premise email gateway as a potential attack surface, applying the same hardening practices used for public‑facing web servers.
For a deeper dive into the technical details, the full InfoGuard Labs report is available on their website, and the vendor’s patch notes can be found in the SEPPMail Security Bulletin.
Stay vigilant, keep your gateways patched, and remember that a single unchecked parameter can turn a mail scanner into a backdoor.
Comments
Please log in or register to join the discussion