Researchers have disclosed seven vulnerabilities in SEPPMail Secure E-Mail Gateway, an enterprise email encryption and security appliance, including CVE-2026-2743 — a CVSS 10.0 path traversal flaw enabling unauthenticated remote code execution — alongside four additional critical-to-high severity flaws that together could let attackers read all confidential mail the gateway was deployed to protect.
CVE-2026-2743: The CVSS 10.0 Path Traversal Requiring No Authentication
CVE-2026-2743 is a path traversal vulnerability in SEPPMail’s large file transfer feature. Exploitation requires no authentication: attackers send crafted requests that traverse the intended file path boundaries to write arbitrary files anywhere on the server, achieving remote code execution on the appliance without prior credentials or any form of valid account on the system.
A path traversal with unauthenticated write capability and code execution represents the maximum severity category of server-side vulnerability. An attacker with network access to the gateway can achieve full control of the appliance without any prior foothold. The CVSS 10.0 rating reflects the combination of no authentication required, network accessibility, and the resulting code execution outcome.
The Four Additional Critical-to-High CVEs in the SEPPMail Cluster
CVE-2026-2743 is the most severe of seven disclosed flaws, but four additional vulnerabilities in the same research cluster carry critical-to-high ratings. CVE-2026-44125 (CVSS 9.3) involves missing authentication checks that allow unauthenticated access to protected functionality. CVE-2026-44126 (CVSS 9.2) is an unsafe deserialization flaw leading to code execution. CVE-2026-44128 (CVSS 9.3) is an eval injection enabling code execution. CVE-2026-44129 (CVSS 8.3) is a template injection flaw that also enables remote code execution. Four of the five leading vulnerabilities independently enable code execution through distinct technical paths, indicating an attack surface that was inadequately hardened across multiple development areas.
How Gateway Compromise Enables Passive Mail Interception
Researchers stated the vulnerabilities “could have been exploited to read all mail traffic or as an entry vector into the internal network.” SEPPMail is deployed specifically to encrypt and secure enterprise email communications, which means the appliance processes decrypted message content as mail transits through it. An attacker with code execution on the gateway does not need to break encryption on individual endpoints — they can passively intercept message content as the gateway decrypts it in transit, achieving the exact outcome the security product was purchased to prevent.
Patch Versions and the Upgrade Path to Full Remediation
Patches for the disclosed vulnerabilities are distributed across multiple SEPPMail releases. CVE-2026-44128 was addressed in version 15.0.2.1. CVE-2026-44126 was fixed in version 15.0.3. All remaining vulnerabilities in the cluster — including the CVSS 10.0 CVE-2026-2743 — are patched in version 15.0.4. Organizations running SEPPMail must upgrade to version 15.0.4 to remediate the full seven-flaw set; partial upgrades address only a subset of the disclosed vulnerabilities.
The Trust Inversion Consequence of Compromising a Security Gateway
Email security gateways hold a privileged position in network architecture: they sit between external mail infrastructure and internal mail servers, with access to decrypted content flowing in both directions. Compromise of the gateway inverts the security model — the device deployed to add trust and confidentiality becomes the attack surface through which both are violated. The cluster of seven vulnerabilities across multiple independent code paths suggests a concentrated research effort that found a broadly under-reviewed attack surface in the product rather than a single oversight in one feature.
