SEPPmail Secure Email Gateway versions prior to 15.0.3 contain a bounded input validation flaw that permits attackers to bypass the system's subject sanitization logic and insert specially crafted subject tags such as [signed OK]. Because the gateway accepts and processes subject headers from inbound email, the forged tags can trick recipients into believing messages are authenticated or have been reviewed, potentially enabling phishing, social engineering, or other deceptive email campaigns. The weakness is a classic input validation error classified as CWE‑20 and directly affects email authenticity.

Affected software is SEPPmail Secure Email Gateway, a secure email filtering and forwarding appliance that processes inbound email traffic. All deployments running a version earlier than 15.0.3 are vulnerable; deployments on 15.0.3 or later have the flaw fixed as noted in the vendor's release notes.

The CVSS base score of 7.7 indicates a high severity, reflecting the potential for widespread impact on client trust. The EPSS score is not provided, and the issue is not listed in the CISA KEV catalog, suggesting no publicly known exploitation at the time of disclosure. The likely attack vector is remote, via crafted email applicants that bypass subject sanitization when sent to the gateway over the network; no special privileges or insider access appear required. As the flaw permits tampering with email headers that are propagated to end recipients, the risk to confidentiality is low, but the integrity of the email authentication process is compromised, enabling phishing attacks.