External risk intelligence

SEPPmail Secure Email Gateway allows attackers to take control of your systems remotely.

CVE advisorySeverity: CRITICAL (CVSS 9.3)

CVE-2026-44128

A critical flaw in SEPPmail Secure Email Gateway lets attackers remotely execute code on your systems by tricking the GINA UI, potentially exposing sensitive data. This demands immediate attention due to its internet-facing nature.

5Halo Surface Signal

Remote Code Execution

External exposure likelihood

Halo Surface Signal score for CVE-2026-44128

SEPPmail Secure Email Gateway is a perimeter appliance designed to handle external email traffic. The GINA user interface is specifically intended to be reachable by external users for secure email retrieval and communication, making this interface public-facing by design in standard deployments.

PCI scan relevance

PCI Relevance for CVE-2026-44128

Yes

CVE-2026-44128 — Halo PCI Relevance: Yes. Under typical PCI ASV external scan criteria, this issue may be flagged for scan prioritization.

This vulnerability allows unauthenticated remote code execution. Such flaws can pose a significant risk to systems handling sensitive data and are typically considered relevant for PCI compliance due to their potential impact on the security of cardholder data.

Scan-prioritization guidance only—not a PCI DSS certification or ASV attestation.

CVSS vector

CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X

Horizon Alert

Summary of the vulnerability and why it matters

This critical vulnerability in SEPPmail Secure Email Gateway could allow unauthorized remote code execution. An attacker can exploit this by sending specially crafted input to the GINA UI, bypassing normal security checks. This means sensitive systems could be compromised without any prior access.

  • Potential for widespread impact on email security.
  • Affects systems handling external communication.
  • Deserves immediate attention due to severe risk.

Attack Path

How an attacker could exploit the issue

An unauthenticated attacker can exploit this vulnerability by sending specially crafted requests to the new GINA UI. This allows them to inject malicious code through a parameter, leading to remote code execution on the vulnerable server.

  • Target the GINA UI endpoint.
  • Send unauthenticated requests.
  • Use attacker-controlled input for `eval`.

Live Threat

Current exploitation, exposure, and threat context

This vulnerability is in a secure email gateway, a product often exposed to the internet for receiving and sending external email. The flaw in the GINA UI allows unauthenticated remote code execution by passing user input to Perl's eval, a potent code injection vector. Given the product's role and the severity of the vulnerability, it is likely to be targeted.

  • Public exploit code is not yet observed.
  • No KEV listing is present.
  • Vendor notes a patch is available.

Priority actions

Operational Fix

Recommended remediation, mitigation, and detection steps

Prioritize immediate containment and monitoring of SEPPmail Secure Email Gateway instances due to the critical unauthenticated remote code execution vulnerability. Given the potential for broad impact on email infrastructure, focus on isolating affected systems if patching is not feasible, and diligently search logs for any indicators of compromise.

  • Isolate affected SEPPmail services.
  • Monitor network traffic for anomalies.
  • Apply patch version 15.0.2.1 when available.

Frequently asked questions

What is SEPPmail Secure Email Gateway and what is it used for?

SEPPmail Secure Email Gateway is a system designed to manage and secure email communications. It acts as a gateway, handling the sending and receiving of external emails for an organization, ensuring security and privacy of messages.

How does CVE-2026-44128 enable remote code execution?

CVE-2026-44128 is a critical vulnerability classified as an improper neutralization of special elements used in an evaluated expression, or code injection (CWE-95). It allows attackers to execute arbitrary code on the system by sending specific input to the new GINA UI, which is then processed insecurely by Perl's eval function.

What are the conditions needed to trigger the SEPPmail vulnerability?

An attacker does not need any authentication or special privileges to exploit this vulnerability. They only need to be able to send specially crafted requests to the new GINA UI endpoint of the SEPPmail Secure Email Gateway.

Who needs to care about CVE-2026-44128?

Organizations using SEPPmail Secure Email Gateway should be particularly concerned, especially if their instances are internet-facing. Halo's assessment indicates this is 'Very likely' to be an external threat because the product is a perimeter appliance typically exposed to the internet for email handling.

What should I do if I'm running SEPPmail Secure Email Gateway?

The primary step is to update your SEPPmail Secure Email Gateway to version 15.0.2.1 or later, as this version includes a fix for the vulnerability. If immediate patching isn't possible, consider isolating the affected SEPPmail services from your network to contain potential impact.

References

Sources and related resources

Primary sources: NVD, CVE.org.

NVDPublished Modified