SEPPmail Just Disclosed Seven CVEs. The Worst Lets Anyone on the Internet Read Your Email Traffic.

InfoGuard Labs disclosed seven security vulnerabilities in SEPPmail Secure E-Mail Gateway on May 19, 2026, including CVE-2026-2743 (CVSS 10.0) — a path traversal in the User Web Interface that chains to full appliance takeover — and CVE-2026-44128, an unauthenticated Perl eval() RCE. The encrypted-email gateway widely deployed across the DACH region just had its trust assumption broken at the appliance level.

ZURICH, SWITZERLAND — On May 19, 2026, InfoGuard Labs — a Swiss security research team — publicly disclosed seven security vulnerabilities in SEPPmail Secure E-Mail Gateway, the encrypted-email appliance widely deployed across the DACH region (Germany, Austria, Switzerland) for regulated and enterprise email security. The headline flaw, CVE-2026-2743 (CVSS 10.0 Critical), is a path traversal in the SEPPmail User Web Interface's Large File Transfer (LFT) feature that enables arbitrary file write and chains to remote code execution. The disclosed set also includes CVE-2026-27441 (CVSS 9.5) — arbitrary OS command execution — and CVE-2026-44128, an unauthenticated remote code execution via Perl code injection executed by eval() with no authentication checks. CVE-2026-44127 enables arbitrary file read of stored emails, LDAP databases, and cryptographic material. CVE-2026-7864 (CVSS 6.9) leaks server environment variables through an unauthenticated endpoint in the new GINA UI. Two additional CVEs cover auth bypass and input validation. InfoGuard documented an attack chain in which a remote attacker uses CVE-2026-2743 to overwrite /etc/syslog.conf via the nobody user's write access, spawning a Perl reverse shell that yields complete appliance takeover — permitting the attacker to read all mail traffic and persist indefinitely. SEPPmail issued patches in versions 15.0.2.1, 15.0.3, and 15.0.4. Customer base concentrated in regulated DACH sectors: law firms, healthcare, financial services, government.

What Happened

The CVSS 10.0 Path Traversal

CVE-2026-2743 is the headline. The Large File Transfer (LFT) feature in the SEPPmail User Web Interface fails to sanitize file path inputs, allowing an attacker to write arbitrary files to the appliance filesystem. The specific path InfoGuard demonstrated — /etc/syslog.conf via the nobody user's write access — turns the file write into a configuration-overwrite primitive. When the affected system reads the overwritten syslog configuration, it spawns a Perl-based reverse shell to the attacker. From there: complete appliance takeover, including the ability to read all mail traffic flowing through the gateway and persist indefinitely. Patched in version 15.0.4.

The Unauthenticated Perl eval() RCE

CVE-2026-44128 is the second high-priority flaw and the operationally easier one to exploit. The vulnerability is an unauthenticated remote code execution in an API endpoint that passes attacker-controlled input directly to Perl's eval() function. There are no authentication checks. Any actor with the ability to scan the public internet for SEPPmail appliances can attempt this exploit; the bar to entry is at the entry-level threat actor tier. Patched in version 15.0.2.1. The bug pattern — passing user input to eval() — is canonical legacy enterprise-appliance code, the kind of finding that AI-assisted vulnerability discovery has been surfacing across legacy codebases throughout the 2026 cycle.

The File Read and Information Disclosure Bugs

CVE-2026-44127 enables arbitrary file read — stored emails, LDAP databases, and the cryptographic material the appliance uses to sign and encrypt mail. CVE-2026-7864 (CVSS 6.9) leaks server environment variables through an unauthenticated endpoint in the new GINA UI. The remaining CVEs (CVE-2026-27441 OS command execution, CVE-2026-27443 input validation, CVE-2026-29132 auth bypass) round out the disclosed set. Most are independently weaponizable; the operational chain shown by InfoGuard combines path traversal, syslog overwrite, and Perl reverse shell, but several of the remaining bugs would yield similar outcomes via alternative paths.

Scope and Impact

The SEPPmail disclosure joins a 2026 pattern The CyberSignal has tracked across the email- and web-infrastructure cluster. The Symantec Fast16 confirmation documented how legacy enterprise software runtimes can be hooked by nation-state operators for two decades without detection. The Mini Shai-Hulud TanStack wave showed how trust assumptions at the package-supply-chain tier break under operational pressure. The SEPPmail set adds the regional encrypted-email-gateway tier to the cluster: the encryption guarantee of the appliance does not extend to host integrity, and a single attacker who clears the CVSS 10.0 path traversal can read every email flowing through the gateway with persistence that survives reboot.

The DACH-region concentration is the policy-engagement layer. SEPPmail's customer base is heavily concentrated in regulated sectors — law firms, healthcare, financial services, and government — that adopted SEPPmail specifically because of its encrypted-email value proposition. The disclosure breaks that value proposition at the appliance level for any customer who has not patched. GDPR Article 33 and 34 breach-notification obligations attach to any exposure of stored mail content; Swiss FADP and Austrian DSG layer additional requirements. Healthcare-sector customers face HIPAA-equivalent or higher obligations under EU member-state law. The legal disclosure window starts the moment a customer determines that a successful exploit is plausible — which, given the unauthenticated Perl eval() RCE, is now.

Response and Attribution

SEPPmail issued patches in versions 15.0.2.1, 15.0.3, and 15.0.4 — the multi-version pattern suggests a coordinated disclosure between InfoGuard and the vendor. Customers should upgrade to 15.0.4 or later immediately. If immediate patching is not possible, the documented workaround is to disable the LFT and GINA v2 features if not required, and restrict external access to management and API endpoints via firewall ACLs. Audit the appliance for indicators of compromise: unexpected /etc/syslog.conf modifications, unexpected Perl processes, anomalous outbound connections, modifications to nobody user permissions, and any unscheduled mail-content export events.

No in-the-wild exploitation has been reported as of May 19, 2026. The CISA KEV catalog has not added the SEPPmail CVEs yet; given DACH-region concentration, the German BSI, Swiss NCSC, and Austrian A-SIT advisory channels are the higher-priority enforcement layers. Cryptographic material stored on the appliance — TLS certificates, signing keys, LDAP credentials — should be rotated under the assumption of potential exposure given CVE-2026-44127's read access. Healthcare and financial-sector customers should document the patch-deployment decision timeline in writing; the GDPR notification window starts on the determination of risk to data subjects, not on patch installation.

The CyberSignal Analysis

Signal 01 — The Encrypted-Email-Gateway Trust Assumption Has Broken at the Appliance Tier

SEPPmail's customer base adopted the platform because of its encrypted-email guarantee. CVE-2026-2743 breaks that guarantee at the host integrity layer — the gateway encrypts mail in transit, but a compromised host reads cleartext on either end of the encryption boundary. CISOs in regulated DACH sectors should treat the appliance tier as a target, not a control, going forward. Architectural moves to consider: minimize the attack surface of mail-handling appliances by segregating them from administrative-access networks; consider cloud-delivered email security where threat modeling permits; require contractual right to receive vulnerability disclosures for any encrypted-email vendor relationship.

Signal 02 — Unauthenticated eval() Injections Are the Canonical AI-Discoverable Bug Class

CVE-2026-44128 — passing attacker-controlled input directly to Perl's eval() — is the canonical bug class that AI-assisted vulnerability discovery has been surfacing across legacy enterprise codebases all year. Microsoft's MDASH found 16 of this month's Windows bugs through similar pattern-matching techniques. Expect more disclosures of unauthenticated injection bugs in legacy enterprise appliances over the next 12 months as defender-side AI tooling matures. Vendors operating legacy Perl, PHP, and Python codebases in enterprise appliances should preemptively audit for the pattern; the disclosure window is shrinking.

Signal 03 — The 2026 Email-Infrastructure Cycle Is Now a Full Tier 1 Patching Category

Microsoft Exchange CVE-2026-42897 in May. Exim Dead.Letter RCE in May. Apache HTTP/2 double-free in May. NGINX Rift CVE-2026-42945 in May. The Symantec Fast16 confirmation documented similar runtime-hook bug patterns in solver infrastructure. The SEPPmail set adds encrypted-email gateways to the cluster. Defenders should treat the entire email-and-web infrastructure tier as Tier 1 patching territory through 2026 — the volume of disclosures in this category is structural, not anomalous, and AI-assisted discovery is the macro reason.

Sources