Description
SEPPmail Secure Email Gateway before version 15.0.1 improperly validates S/MIME certificates issued for email addresses containing whitespaces, allowing signature spoofing.
Published: 2026-03-04
Score: 7.8 High
EPSS: < 1% Very Low
KEV: No
Impact: Signature Spoofing
Action: Immediate Patch
AI Analysis

Impact

SEPPmail Secure Email Gateway before version 15.0.1 accepts S/MIME certificates whose subject fields contain whitespace, allowing an attacker to forge email signatures that appear to come from legitimate users. This compromise of message authenticity can enable phishing, man‑in‑the‑middle attacks or social engineering. The flaw arises from improper validation of the certificate subject, a weakness classified as CWE‑295.

Affected Systems

The vulnerability affects SEPPmail Secure Email Gateway installations running any version earlier than 15.0.1. Affected products include SEPPmail Secure Email Gateway as identified by the vendor and the corresponding CPE entries.

Risk and Exploitability

The CVSS score of 7.8 indicates a high impact if exploited, yet the EPSS score of less than 1% means the likelihood of real‑world exploitation is low. The flaw is not listed in the CISA KEV catalog, so no known public exploits are documented. The likely attack vector is remote, via manipulation of S/MIME messages over the network, and exploitation requires an attacker to supply a certificate with a subject that contains whitespace. Once in place, the attacker can impersonate an addressed user by forging signatures that the gateway will accept as valid.

Generated by OpenCVE AI on April 16, 2026 at 13:39 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade SEPPmail Secure Email Gateway to version 15.0.1 or later.
  • After updating, confirm that the gateway correctly rejects certificates with whitespace in the subject field.
  • Continuously monitor outgoing email headers and signature validation logs for anomalies or spoofed signatures.

Generated by OpenCVE AI on April 16, 2026 at 13:39 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Thu, 05 Mar 2026 15:15:00 +0000

Type Values Removed Values Added
First Time appeared Seppmail seppmail
CPEs cpe:2.3:a:seppmail:seppmail:*:*:*:*:*:*:*:*
Vendors & Products Seppmail seppmail
Metrics cvssV3_1

{'score': 5.3, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N'}

Wed, 04 Mar 2026 17:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'yes', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Wed, 04 Mar 2026 09:15:00 +0000

Type Values Removed Values Added
Description SEPPmail Secure Email Gateway before version 15.0.1 improperly validates S/MIME certificates issued for email addresses containing whitespaces, allowing signature spoofing.
Title S/MIME Certificate Subject Whitespace
First Time appeared Seppmail
Seppmail seppmail Secure Email Gateway
Weaknesses CWE-295
CPEs cpe:2.3:a:seppmail:seppmail_secure_email_gateway:*:*:*:*:*:*:*:*
Vendors & Products Seppmail
Seppmail seppmail Secure Email Gateway
References
Metrics cvssV4_0

{'score': 7.8, 'vector': 'CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:L/VA:N/SC:L/SI:H/SA:N'}

Subscriptions

Seppmail Seppmail Seppmail Secure Email Gateway
cve-icon MITRE

Status: PUBLISHED

Assigner: NCSC.ch

Published:

Updated: 2026-03-04T16:55:03.279Z

Reserved: 2026-02-19T13:56:33.534Z

Link: CVE-2026-2748

cve-icon Vulnrichment

Updated: 2026-03-04T16:54:59.084Z

cve-icon NVD

Status : Analyzed

Published: 2026-03-04T09:15:58.290

Modified: 2026-03-05T15:14:26.420

Link: CVE-2026-2748

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-04-16T13:45:21Z

Weaknesses