Light bulb Limited Spots Available: Secure Your Lifetime Subscription on Gumroad!

May 20, 2026 · 8 min read

Researchers Just Dropped Seven Critical Bugs in the Encrypted Email Gateway Used Across Germany, Austria, and Switzerland—One of Them Is a Perfect 10.0

The headline bug needs no authentication, no user interaction, and ends with the attacker reading every message that passes through the appliance. SEPPmail rolled the fix out across three separate patches.

Dark server rack with pale blue email envelope icons projected onto the metal enclosure, representing the compromise of an encrypted email gateway

What Happened

On May 19, 2026, InfoGuard Labs published the technical writeup that SEPPmail customers had been waiting two months for. The Hacker News reported the disclosure: seven vulnerabilities in SEPPmail Secure E-Mail Gateway, the appliance that handles encrypted business email for a huge slice of the DACH region (Germany, Austria, Switzerland), the most severe of which scored a perfect 10.0 on CVSS.

The headline bug, CVE-2026-2743, sits in the gateway's large file transfer feature. It needs no authentication. It needs no user interaction. And the proof of concept that InfoGuard built drops the attacker into a reverse shell with permission to read every message the gateway has touched.

What SEPPmail Actually Does

SEPPmail is the kind of product most people never see. It is a transparent encryption appliance that sits in front of a company's mail servers and rewrites outbound email so that it gets delivered encrypted, then decrypts the inbound replies. Hospitals, law firms, banks, ministries, and other regulated organizations across the DACH market use it because Swiss data protection laws and German BSI guidelines push them toward S/MIME and OpenPGP for sensitive correspondence.

The whole pitch is that the appliance is a privacy backstop. Even if a user forgets to encrypt something, SEPPmail catches it on the way out. That makes the gateway one of the most sensitive boxes in the network. Whoever owns SEPPmail can read everything before it gets encrypted and everything after it gets decrypted.

The 10.0

CVE-2026-2743 lives in the LFT (Large File Transfer) endpoint exposed by the user web interface. The endpoint accepts file uploads but never validates where the destination path actually points. A simple traversal sequence lets an unauthenticated attacker write a file anywhere the nobody user can write.

InfoGuard's exploit chain is methodical:

  • Use the path traversal to overwrite the syslog configuration with a config that pipes log output into a Perl one liner.
  • Wait for the next cron triggered log rotation.
  • That rotation restarts syslog, which executes the attacker's Perl code as part of the new logging pipeline.
  • The Perl code opens a reverse shell back to the attacker.

From there, the attacker is inside the appliance with full visibility into the mail spool. SEPPmail's job is to handle plaintext on its way in and out of encryption, which means the mail spool contains the cleartext of every encrypted message currently being processed. The researchers wrote it plainly: an attacker can "read all mail traffic" and persist on the gateway indefinitely.

The Other Six

CVE-2026-2743 took the headlines, but the rest of the disclosure is a buffet:

  • CVE-2026-44128 (CVSS 9.3) — Eval injection in the template API endpoint. Whatever string an attacker puts in the template gets evaluated as code.
  • CVE-2026-44125 (CVSS 9.3) — The GINA UI endpoints, which handle messages to external recipients who don't have S/MIME keys, are missing authorization checks. An attacker can read or modify protected resources.
  • CVE-2026-44126 (CVSS 9.2) — Unsafe deserialization of untrusted data. Submit a serialized payload, get arbitrary code execution.
  • CVE-2026-44127 (CVSS 8.8) — Another unauthenticated path traversal, this one in attachment preview. Useful for reading config files, key material, or any other readable file on the appliance.
  • CVE-2026-44129 (CVSS 8.3) — Template engine injection. A second path to running attacker controlled code through the templating system.
  • CVE-2026-7864 (CVSS 6.9) — Environment variable leakage. The appliance hands out the contents of its environment, which on these gateways usually includes credentials, internal URLs, and integration tokens.

Any one of these in isolation is enough to call an incident. Together, they are a complete failure of the trust model that organizations were paying SEPPmail to enforce.

Why Encrypted Email Gateways Are Worth Targeting

Most enterprise software gets patched on a sane cadence because the attackers have to find new bugs every cycle. Email encryption gateways break that pattern in two ways.

First, they sit in the path of plaintext. End to end encryption is fine in theory, but in practice many companies cannot run it across their whole workforce. So they put SEPPmail (or one of its competitors) at the boundary and let the appliance handle the keys. That means the appliance is the only place where every encrypted message exists as cleartext, which makes it a uniquely valuable interception point.

Second, organizations that buy these gateways typically have legal, regulatory, or contractual reasons to encrypt their mail. Hospitals encrypt because they handle patient data. Law firms encrypt because they handle client communications. Government departments encrypt because they handle classified or restricted information. So the type of mail flowing through SEPPmail tends to be exactly the type that an attacker would most want to read.

A breach at the gateway is a breach of every encryption commitment the operator has made. It is the same architectural failure mode that hit Exim earlier this month: a piece of mail infrastructure that everyone trusts and almost nobody audits.

The Three Stage Patch Rollout

SEPPmail did not release a single fix. They shipped patches over multiple versions:

  • Version 15.0.2.1 — fixed CVE-2026-44128 (the eval injection).
  • Version 15.0.3 — fixed CVE-2026-44126 (the deserialization bug).
  • Version 15.0.4 — fixed the remaining flaws.

Administrators who upgraded to 15.0.2.1 when it came out are not safe. They patched the eval injection but still have the path traversal that scores 10.0. Anyone running anything below 15.0.4 should treat their appliance as exposed.

The InfoGuard researchers (Dario Weiss, Manuel Feifel, and Olivier Becker) followed coordinated disclosure and waited for the full patch set to ship before publishing. The earliest CVE assignments date back to March, so SEPPmail had over two months to push fixes through the supply chain.

What This Means for the Mail You Send

Encrypted email gateways are a quiet category. Most users have no idea their employer or vendor runs one. But if you have ever sent a message to a hospital, a Swiss law firm, an Austrian ministry, or a Liechtenstein bank, your mail probably crossed an appliance like SEPPmail on its way in. The contents of that message sat in cleartext on the gateway for as long as it took to scan, encrypt, and forward.

A vulnerability like CVE-2026-2743 means the cleartext window was potentially observable by anyone who exploited the appliance before it got patched. SEPPmail has not disclosed any in the wild exploitation, but the path traversal is trivial to weaponize once the technical details are public, and the technical details are now public.

If you operate or manage one of these appliances:

  • Patch to 15.0.4 immediately. Treat anything older as compromised until proven otherwise.
  • Pull the appliance off the public internet if it does not need to be exposed. The user web interface is the entry point for the worst bug, and it does not need to be reachable from the open web in most deployments.
  • Rotate any credentials, keys, or tokens that were stored on the gateway. CVE-2026-7864 leaked environment variables, which on these systems usually includes secrets.
  • Audit the mail spool for signs of unauthorized access. A persistent attacker would not just read mail. They would copy it.

For everyone else, this is another reminder that the privacy of your email depends on a long chain of software that you have never heard of, and any link can fail.

The Pattern

CVE-2026-2743 fits into a broader pattern that researchers have been tracking for the last two years: security appliances themselves are increasingly the soft target. Mail gateways, firewalls, VPN concentrators, and EDR consoles are all internet facing, all running closed source firmware, and all sitting on highly privileged network segments. When one of them has a bug, the blast radius is enormous. The same lesson applied to Cisco's SD-WAN auth bypass last week, and to a half dozen Fortinet, Ivanti, and Palo Alto disclosures before that.

The SEPPmail disclosure is just the latest. Researchers are looking at these boxes harder than they ever have, and the bug counts are reflecting that scrutiny. Organizations that bought "secure" appliances in the 2010s on the assumption that the vendor had it under control are finding out, one CVE at a time, that the vendor did not.

The gateway is not a magic box. It is just another piece of software, and software with a 10.0 vulnerability is software an attacker can own.

Stop Email Tracking in Gmail

Spy pixels track when you open emails, where you are, and what device you use. Gblock blocks them automatically.

Try Gblock Free for 30 Days

No credit card required. Works with Chrome, Edge, Brave, and Arc.