CVE-2026-44128 · SEPPmail Secure Email Gateway before version 15.0.2.1

01 · The Real Story

This is a loaded nail gun left by the front door, but only in houses that installed the new entryway

CVE-2026-44128 is an unauthenticated remote code execution flaw in SEPPmail Secure Email Gateway before 15.0.2.1. The vulnerable path sits in the new GINA v2 UI under /api.app/template, where attacker-controlled input from the upldd parameter is fed into Perl eval, allowing arbitrary Perl execution over HTTPS with no valid session required. InfoGuard's write-up says GINA v2 has been available since roughly January 2025 and requires explicit activation in system settings, which sharply narrows the exposed population compared with the whole SEPPmail install base.

In pure technical terms this is bad enough to look like a CRITICAL: it's pre-auth, remote, low-complexity code execution on an internet-facing email appliance. In real enterprise patch triage, though, the decisive friction is feature-gated exposure: the bug only exists where GINA v2 is enabled and reachable, and the code reportedly runs as the webserver user rather than instant root. That keeps the real-world priority at = ASSESSED AT HIGH rather than CRITICAL, while still making it urgent anywhere GINA v2 is externally exposed.

"Pre-auth RCE on a mail gateway is serious, but GINA v2 being opt-in keeps this assessed at HIGH, not CRITICAL."

02 · The Attack Path

4 steps from start to impact.

STEP 01

Find an exposed GINA v2 endpoint with internet reachability

The attacker first identifies a SEPPmail gateway exposing the new GINA/API surface over HTTPS. InfoGuard notes GINA is commonly exposed for secure mail access by external recipients, and their research found several thousand public SEPPmail instances on Censys; however, this CVE specifically needs the newer GINA v2 path behind /api.app.

Conditions required:

Target runs SEPPmail Secure Email Gateway earlier than 15.0.2.1
GINA v2 is enabled
The vulnerable web interface is reachable from the attacker

Where this breaks in practice:

GINA v2 is not universal; InfoGuard says it requires explicit activation
Some deployments may restrict web access behind VPN, reverse proxy ACLs, or private exposure

Detection/coverage: External attack-surface management can usually spot SEPPmail web exposure, but not reliably whether GINA v2 is enabled without active probing.

STEP 02

Send a crafted multipart POST to /api.app/template using curl from the InfoGuard PoC

The exploit path is straightforward: submit a multipart POST request to /api.app/template and supply Perl in the upldd field. InfoGuard published a working curl example showing the server executes the injected Perl immediately because the handler passes user input to eval without sanitization.

Conditions required:

HTTPS access to /api.app/template
No intervening control blocks or rewrites the request

Where this breaks in practice:

An IPS/WAF or reverse proxy with tight multipart inspection may disrupt the exact request shape
Organizations that disabled or unpublished GINA v2 remove the reachable exploit surface entirely

Detection/coverage: Check Point published IPS coverage for SEPPMail Secure Email Gateway RCE on 2026-05-20; custom HTTP detections can key off POSTs to /api.app/template containing upldd= and Perl execution primitives.

STEP 03

Execute code as the SEPPmail web process

Successful exploitation yields server-side command execution in the appliance context. InfoGuard's adjacent GINA analysis indicates these paths run as user nobody, which is still enough to establish a foothold on a trusted mail-handling appliance even if it is not an immediate root shell.

Conditions required:

Exploit request reaches the vulnerable handler
Application executes the Perl payload

Where this breaks in practice:

Process privileges appear limited to the webserver context rather than full root
Host hardening and filesystem permissions may limit some follow-on actions

Detection/coverage: EDR is often absent on virtual mail appliances; defenders should rely on web logs, appliance process telemetry if available, and anomalous outbound connections from the gateway.

STEP 04

Abuse the foothold for mail access, persistence, or internal pivoting

Once code execution lands on an email gateway, the attacker is sitting on a high-trust choke point. Even without immediate privilege escalation, they can attempt mail theft, credential harvesting, token collection, configuration abuse, and pivoting; InfoGuard explicitly warns these appliances can become entry points into the internal network and that blue teams are often blind on them.

Conditions required:

Post-exploitation access on the gateway
Useful local data, network adjacency, or weak monitoring

Where this breaks in practice:

Some sensitive files or directories may not be readable by nobody without chaining additional flaws
Outbound filtering and segmentation can limit pivoting

Detection/coverage: Monitor the gateway for new outbound destinations, shell spawns from web-facing processes, and unexpected access to mail stores, configs, or identity material.

03 · Intelligence Metadata

The supporting signals.

In-the-wild status	No confirmed active exploitation found in the sources reviewed as of 2026-06-02. It is not in CISA KEV.
Proof-of-concept availability	Public technical PoC exists via InfoGuard Labs, including a working `curl` request against `/api.app/template`.
EPSS	0.00153 (~0.153%), which is low and argues against mass-exploitation pressure today.
KEV status	Not listed in the CISA Known Exploited Vulnerabilities catalog.
CVSS context	There is no vendor-published CVSS baseline to anchor against. Separately, the NVD record currently shows a CNA CVSS v4.0 9.3 / CRITICAL vector: `CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N`.
Affected versions	SEPPmail Secure Email Gateway before 15.0.2.1. The vulnerable component is the new GINA v2 UI.
Fixed versions	15.0.2.1 fixes this CVE specifically; later trains such as 15.0.4.x and 15.0.5 are also beyond the affected range.
Exposure population	InfoGuard reports several thousand public SEPPmail instances on Censys, but that does not mean all are reachable for this CVE. The exploit requires GINA v2, which InfoGuard says was available since about January 2025 and must be explicitly enabled.
Disclosure timeline	CVE published by the Swiss CNA on 2026-05-08; InfoGuard public technical disclosure followed on 2026-05-18.
Researchers / reporting org	Reported by Dario Weiss, Manuel Feifel, and Olivier Becker of InfoGuard Labs.

04 · The Call

noisgate verdict.

Final Verdict

= UNCHANGED to HIGH (8.6/10)

The biggest factor keeping this out of CRITICAL is reachability friction: the flaw only matters where the new GINA v2 interface is explicitly enabled and exposed, not across every SEPPmail gateway. But where that condition is met, this is still unauthenticated internet-reachable code execution on a trusted email appliance, which is too dangerous to score below HIGH.

HIGH Technical impact and exploitability of the vulnerable endpoint

MEDIUM Real-world exposed population because GINA v2 enablement is deployment-specific

Why this verdict

Unauthenticated remote code execution keeps the floor high: the attacker position is unauthenticated remote, which implies true perimeter risk rather than post-compromise abuse.
GINA v2 is the main downward adjustment: this prerequisite implies a narrower exposed population because the vulnerable UI is newer and requires explicit activation, so the reachable estate is meaningfully smaller than 'all SEPPmail'.
Blast radius is serious even without instant root: attacker code runs on a mail gateway, a trusted choke point with visibility into message flow and adjacency to internal systems, so a nobody foothold is still operationally dangerous.
Low exploitation pressure trims the score a bit: EPSS is low, there is no KEV entry, and I found no confirmed live campaigns, which argues against maximum emergency treatment for every org regardless of exposure.

Why not higher?

I am not calling this CRITICAL because the attack chain has a real gating condition: GINA v2 must be enabled and reachable. That prerequisite narrows the exploitable population, and the available research suggests execution lands in a restricted web-process context rather than guaranteed full appliance takeover from this CVE alone.

Why not lower?

I am not dropping this to MEDIUM because the attacker does not need credentials, user interaction, or prior foothold. If your gateway exposes the vulnerable GINA v2 path, this is one HTTP request away from code execution on a security-sensitive perimeter system.

05 · Compensating Control

What to do — in priority order.

Disable GINA v2 where unused — If the business does not actively need the new GINA v2 interface, turn it off and remove the vulnerable attack surface entirely. For a HIGH verdict, deploy this compensating control within 30 days, and faster for any internet-exposed gateway.
Restrict web access to /api.app — Put the GINA/API surface behind VPN, IP allowlists, reverse-proxy ACLs, or equivalent edge controls so random internet sources cannot reach it. This is the single best exposure reducer short of patching, and for HIGH should be in place within 30 days.
Enable IPS or WAF signatures — Apply available HTTP-layer protections that can detect or block exploit attempts against SEPPmail RCE patterns; Check Point published coverage on 2026-05-20. Treat this as a short-term shield, not a substitute for upgrading, and deploy within 30 days.
Increase gateway monitoring — Turn on or forward SEPPmail web logs, proxy logs, and network telemetry so POSTs to /api.app/template, suspicious multipart requests, shelling behavior, and new outbound connections from the appliance are visible. For HIGH, get this visibility uplift done within 30 days.
Segment the appliance hard — Constrain the gateway's east-west reach and outbound internet access so a web-process foothold cannot pivot freely or beacon out. This reduces post-exploitation blast radius and should be tightened within 30 days where practical.

What doesn't work

MFA on the admin GUI does not help because this exploit is against an unauthenticated API endpoint, not an admin login flow.
SMTP-layer controls like spam filtering or sender checks do not block this path because exploitation happens over the web interface, not via normal mail delivery.
Relying on low EPSS alone is a mistake; EPSS measures probability pressure, not the business impact of exposing pre-auth RCE on a mail gateway.

06 · Verification

Crowdsourced verification payload.

Run this on the target SEPPmail appliance over SSH if you can read local files, or from an auditor workstation if you already know the version shown in Home -> Firmware version. Invoke it as bash check_cve_2026_44128.sh 15.0.2.0 or just bash check_cve_2026_44128.sh on-box; local auto-detection uses read-only file access and does not require root if the version files are world-readable.

noisgate-verify.sh

BASHREAD-ONLYSAFE

#!/usr/bin/env bash
# check_cve_2026_44128.sh
# Determine whether a SEPPmail Secure Email Gateway version is vulnerable to CVE-2026-44128.
# Vulnerable: versions earlier than 15.0.2.1
# Output: VULNERABLE / PATCHED / UNKNOWN
# Exit codes: 0=PATCHED, 1=VULNERABLE, 2=UNKNOWN

set -u

TARGET_FIXED="15.0.2.1"
INPUT_VERSION="${1:-}"
DETECTED_VERSION=""

trim() {
  local s="$1"
  s="${s#${s%%[![:space:]]*}}"
  s="${s%${s##*[![:space:]]}}"
  printf '%s' "$s"
}

extract_version() {
  # Pull the first thing that looks like N.N.N or N.N.N.N
  printf '%s' "$1" | grep -Eo '[0-9]+\.[0-9]+\.[0-9]+(\.[0-9]+)?' | head -n1 || true
}

version_lt() {
  # returns 0 if $1 < $2
  local a="$1" b="$2"
  local first
  first=$(printf '%s\n%s\n' "$a" "$b" | sort -V | head -n1)
  [[ "$a" != "$b" && "$first" == "$a" ]]
}

try_detect_local() {
  local candidates=(
    "/etc/version"
    "/etc/seppmail-version"
    "/usr/local/etc/version"
    "/usr/local/seppmail/version"
    "/etc/motd"
  )
  local f raw ver

  for f in "${candidates[@]}"; do
    if [[ -r "$f" ]]; then
      raw=$(head -n 5 "$f" 2>/dev/null || true)
      ver=$(extract_version "$raw")
      if [[ -n "$ver" ]]; then
        printf '%s' "$ver"
        return 0
      fi
    fi
  done

  if command -v uname >/dev/null 2>&1; then
    raw=$(uname -a 2>/dev/null || true)
    ver=$(extract_version "$raw")
    if [[ -n "$ver" ]]; then
      printf '%s' "$ver"
      return 0
    fi
  fi

  return 1
}

if [[ -n "$INPUT_VERSION" ]]; then
  DETECTED_VERSION=$(extract_version "$INPUT_VERSION")
else
  DETECTED_VERSION=$(try_detect_local || true)
fi

DETECTED_VERSION=$(trim "$DETECTED_VERSION")

if [[ -z "$DETECTED_VERSION" ]]; then
  echo "UNKNOWN"
  exit 2
fi

if version_lt "$DETECTED_VERSION" "$TARGET_FIXED"; then
  echo "VULNERABLE"
  exit 1
fi

echo "PATCHED"
exit 0

07 · Bottom Line

If you remember one thing.

TL;DR

Monday morning, identify every SEPPmail gateway that has GINA v2 enabled and internet exposure, because that is the real exploitable subset. For this HIGH rating, the noisgate mitigation SLA is ≤30 days: disable GINA v2 if unused, or restrict /api.app behind VPN/IP ACLs and deploy edge detection within that window; the noisgate remediation SLA is ≤180 days to move all affected systems to 15.0.2.1 or later, though any externally exposed GINA v2 instance deserves acceleration ahead of the formal deadline.

Sources

Peer Review

What defenders are saying.

Submit a review attribution: handle + country only

0 flags selected · stored anonymously

Validation Results

Crowdsourced verification outputs.

Results submitted by users who ran the verification payload against their environment.