Researchers disclosed multiple critical vulnerabilities in the SEPPMail Secure E-Mail Gateway that can let attackers achieve remote code execution, read arbitrary files and emails, and maintain persistent control of the appliance. InfoGuard Labs said the exposed web UI and newer GINA v2 interface are affected, with the most severe issues including CVE-2026-2743, an authenticated path traversal in the Large File Transfer component that can be chained into arbitrary file write and code execution, CVE-2026-44128, an unauthenticated Perl injection leading to RCE, CVE-2026-44127, a local file inclusion and arbitrary file deletion flaw, and CVE-2026-7864, an information disclosure bug exposing environment variables through a debug endpoint.
The researchers described a practical takeover path in which an attacker overwrites /etc/syslog.conf and triggers a syslog reload via log rotation to obtain a Perl-based reverse shell, giving full control of the gateway and access to all mail traffic. They warned that the product is widely deployed, particularly in the DACH region, with thousands of internet-exposed instances visible, making the flaws a potential entry point into internal networks. SEPPMail released fixes across versions 15.0.2.1, 15.0.3, and 15.0.4, while public reporting highlighted that successful exploitation could expose sensitive email content and enable long-term compromise of affected organizations.

Mallory correlates global threat intelligence with your attack surface — know if you’re exposed before adversaries strike.
7 events from the most recent confirmed update back to the earliest known activity.
The Hacker News reported on the SEPPMail disclosures, emphasizing that the vulnerabilities could allow attackers to execute code, read arbitrary files and emails, and gain persistent control of exposed appliances.
InfoGuard Labs published technical details for several SEPPMail Secure E-Mail Gateway flaws, including CVE-2026-2743, CVE-2026-44127, CVE-2026-44128, and CVE-2026-7864, and explained how they could be chained to achieve persistent remote code execution and mail traffic access.
A second Full Disclosure post publicly disclosed CVE-2025-70562 and CVE-2025-70563, describing impersonation attacks on EduPage caused by malicious SVG upload handling combined with missing CSRF protections.
A Full Disclosure mailing list post publicly disclosed CVE-2025-70561, an authorization bypass in EduPage's Payment module that exposed user identities and IBAN banking details to authenticated users and anonymous guest accounts.
SeppMail issued patches for the disclosed gateway vulnerabilities in several releases, fixing CVE-2026-44128 in 15.0.2.1, CVE-2026-44126 in 15.0.3, and the remaining reported flaws in version 15.0.4.
InfoGuard Labs reported multiple vulnerabilities in the SEPPMail Secure E-Mail Gateway to SeppMail over a period spanning February to May 2026, including issues that could lead to file access, arbitrary file write, and remote code execution.
Juraj Kosik published a detailed public report describing multiple EduPage security issues, including an authorization bypass in the Payment module and impersonation attacks enabled by unsafe SVG handling and missing CSRF protections.
Vulnerabilities, threat actors, malware, products, organizations, and breaches Mallory has linked to this story.
5 references tracked. Mallory keeps watching after this page renders.
thehackernews.com
Open sourcelabs.infoguard.ch
Open sourceseclists.org
Open sourceseclists.org
Open sourcejkosik.github.io
Open sourceMap indicators from this story to your assets and identify affected systems in minutes.
Every observed campaign, victim, and pivot linked to actors named in this story.
Malware, exploits, and IOCs connected to the activity described here.
YARA, Sigma, and Snort rules deployed to your SIEM as soon as they’re published.
Get matching new stories delivered to your team as they break — not the next morning.
Ask questions about this story and take action on the answers.