SEPPmail Secure Email Gateway fails to validate the inner message of S/MIME‑encrypted MIME entities, allowing an attacker to set or alter trusted email headers. This can lead to forged message origins and makes recipients believe the mail comes from a legitimate sender. The flaw is an instance of improper input validation and is classified as CWE‑20. The vulnerability can compromise data integrity and enable phishing, spoofing, or other social‑engineering attacks.

All installations of SEPPmail Secure Email Gateway assigned to the vendor SEPPmail and running a version earlier than 15.0.3 are affected. Any instance that processes S/MIME messages is potentially vulnerable, regardless of environment or configuration.

The CVSS score of 7.8 reflects a high severity, indicating that successful exploitation would expose the system to significant impact on confidentiality and integrity. Although EPSS data is unavailable and the vulnerability is not listed in the KEV catalog, the lack of those metrics does not lower the real‑world risk. Based on the description, the likely attack vector involves the delivery of a crafted S/MIME email to the gateway; an attacker must control or inject messages into the email flow to an affected system. Once triggered, the attacker can alter trusted headers to impersonate a sender or bypass authentication checks, making the risk considerable for organizations relying on S/MIME for secure communications.