Description
SEPPmail Secure Email Gateway before version 15.0.3 allows account takeover by abusing GINA account initialization to reset a victim account password.
Published: 2026-04-02
Score: 7.8 High
EPSS: < 1% Very Low
KEV: No
Impact: Account Takeover
Action: Patch
AI Analysis

Impact

SEPPmail Secure Email Gateway versions prior to 15.0.3 contain a flaw that allows an attacker to abuse the GINA account initialization process to reset a victim’s password, thereby gaining control of that account. This vulnerability leads to an account takeover threat that can compromise user confidentiality, integrity, and availability, and is categorized as CWE‑288.

Affected Systems

The affected product is SEPPmail Secure Email Gateway. All installations running a version earlier than 15.0.3 are vulnerable; version 15.0.3 and later are not impacted.

Risk and Exploitability

The CVSS score of 7.8 indicates a high risk of exploitation. No EPSS score is available and the vulnerability is not listed in CISA’s KEV catalog, so public exploit evidence is currently lacking. The likely attack path involves an attacker gaining sufficient privileges to trigger the GINA account initialization routine; this may require authenticated or local access, but the exact vector is not fully specified in the advisory. Administrators should treat the issue as high risk and consider it a priority for remediation.

Generated by OpenCVE AI on April 2, 2026 at 10:22 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Apply the vendor‑released patch or upgrade to SEPPmail Secure Email Gateway version 15.0.3 or newer.

Generated by OpenCVE AI on April 2, 2026 at 10:22 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Thu, 02 Apr 2026 14:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'yes', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Thu, 02 Apr 2026 09:00:00 +0000

Type Values Removed Values Added
Description SEPPmail Secure Email Gateway before version 15.0.3 allows account takeover by abusing GINA account initialization to reset a victim account password.
Title GINA State Confusion Account Takeover
First Time appeared Seppmail
Seppmail seppmail Secure Email Gateway
Weaknesses CWE-288
CPEs cpe:2.3:a:seppmail:seppmail_secure_email_gateway:*:*:*:*:*:*:*:*
Vendors & Products Seppmail
Seppmail seppmail Secure Email Gateway
References
Metrics cvssV4_0

{'score': 7.8, 'vector': 'CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:L/VA:N/SC:H/SI:H/SA:N'}

Subscriptions

Seppmail Seppmail Secure Email Gateway
cve-icon MITRE

Status: PUBLISHED

Assigner: NCSC.ch

Published:

Updated: 2026-04-02T13:31:56.778Z

Reserved: 2026-03-04T09:08:03.278Z

Link: CVE-2026-29139

cve-icon Vulnrichment

Updated: 2026-04-02T13:31:51.739Z

cve-icon NVD

Status : Received

Published: 2026-04-02T09:16:22.467

Modified: 2026-04-02T09:16:22.467

Link: CVE-2026-29139

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-04-02T20:21:41Z

Weaknesses