Seppmail Flaws Raise Email Gateway Risks Arabian Post

The impact is significant because the gateway sits at a sensitive point in corporate infrastructure. A compromised appliance could allow attackers to read mail traffic, access stored messages, harvest credentials, examine directory data and use the device as a foothold for deeper movement inside a network. Security appliances can also be harder for corporate defenders to monitor than standard servers, particularly when logging, endpoint detection and centralised telemetry are limited.

Another critical flaw, CVE-2026-44128, affects the newer GINA v2 interface and enables unauthenticated remote code execution through Perl code injection. The vulnerable endpoint processes attacker-controlled input in a way that can lead to server-side command execution. GINA is designed to let external recipients read encrypted messages through a web interface after receiving an HTML attachment and separate password, making exposure of this component especially sensitive where it is enabled for external communication.

CVE-2026-44127 adds a separate data-exposure risk through a path traversal flaw in an attachment preview function. The vulnerable parameter can be abused to read arbitrary local files and, in some cases, trigger deletion of files in the targeted directory with the privileges of the affected process. The exposed data may include emails, LDAP database content, password hashes and cryptographic material, depending on configuration and local storage.

The vulnerability cluster also includes CVE-2026-44126, an insecure deserialisation issue reachable through the GINA UI that can allow unauthenticated attackers to execute code through crafted serialized objects. This flaw affects versions before 15.0.4 and carries a critical severity rating. Earlier disclosures affecting versions before 15.0.1 include CVE-2026-27441, an operating system command injection flaw linked to PDF encryption password handling, and CVE-2026-2748, an S/MIME certificate validation weakness that could permit signature spoofing when certificates contain email addresses with whitespace characters.

SEPPmail has issued fixes across the 15.0 release line. Administrators are being urged to move to the patched versions, including 15.0.2.1, 15.0.3 and 15.0.4 or later, depending on the affected component. Systems using the Large File Transfer feature should verify whether the file upload endpoint is reachable from untrusted networks, while organisations using GINA v2 should review whether the interface is required and whether access can be restricted.

The chronology points to a widening review of the product after earlier findings prompted further analysis. Initial vulnerability reports were submitted in February, with additional disclosures following in March and May. Several flaws were later assigned CVE identifiers and patched, although some fixes appear to have reached users before full public technical details were available.