SEPPmail Secure Email Gateway versions below 15.0.3 contain a flaw that allows an attacker to upload PGP keys whose user identifiers do not match the associated email addresses. Because the UID validation is bypassed, an attacker may create a key that appears to belong to a legitimate user without possessing the user’s real key. This weakness can undermine message authenticity and enable impersonation in encrypted email exchanges. The defect is classified as CWE‑20, an input validation error.

All installations of SEPPmail Secure Email Gateway running a version earlier than 15.0.3 are affected. The product is offered under the SEPPmail brand and the vulnerability applies to the Secure Email Gateway component. No additional vendor or product variants are specified in the advisory.

The vulnerability receives a CVSS base score of 5.3, indicating moderate severity. No EPSS score is available and it is not listed in the CISA KEV catalog. The exploit requires that the attacker be able to upload PGP keys, which likely means possessing authenticated access to the gateway’s administrative interface or a compromised user account. Based on the description, it is inferred that the attacker must have the capability to upload PGP keys. While no public exploit has been reported, the potential for key impersonation justifies prompt remediation.