Description
SEPPmail Secure Email Gateway before version 15.0.4 insecurely deserializes untrusted data, which can be reached from the new GINA UI and may allow unauthenticated remote attackers to execute code via a crafted serialized object.
Published: 2026-05-08
Score: 9.2 Critical
EPSS: < 1% Very Low
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

The vulnerability arises from insecure deserialization of untrusted data in SEPPmail Secure Email Gateway. An attacker with network access can supply a crafted serialized object through the GINA UI, causing the application to execute arbitrary code on the gateway server. This satisfies the conditions of CWE-502, enabling an unauthenticated user to gain full control of the affected system.

Affected Systems

Affected systems are installations of SEPPmail Secure Email Gateway earlier than version 15.0.4. The issue was fixed in the 15.0.4 release, so all earlier versions remain vulnerable. Enterprises using the Secure Email Gateway should verify their current version and upgrade if necessary.

Risk and Exploitability

The CVSS score of 9.2 classifies the flaw as critical, and although no EPSS value is available, the lack of KEV listing does not diminish the risk. The entry is reachable through the GINA UI, which is typically accessible over the network, suggesting that remote attackers can exploit the flaw without authentication. Given the severity and the absence of any mitigation in the product, patching is imperative.

Generated by OpenCVE AI on May 8, 2026 at 18:42 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade SEPPmail Secure Email Gateway to version 15.0.4 or later.
  • Restrict GINA UI access to trusted network segments or disable it entirely if not required.
  • Configure a web application firewall or intrusion prevention system to detect and block malicious serialized payloads.

Generated by OpenCVE AI on May 8, 2026 at 18:42 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Fri, 08 May 2026 15:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'total'}, 'version': '2.0.3'}

Fri, 08 May 2026 14:00:00 +0000

Type Values Removed Values Added
Description SEPPmail Secure Email Gateway before version 15.0.4 insecurely deserializes untrusted data, which can be reached from the new GINA UI and may allow unauthenticated remote attackers to execute code via a crafted serialized object.
Title Insecure deserialization
Weaknesses CWE-502
References
Metrics cvssV4_0

{'score': 9.2, 'vector': 'CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N'}

Subscriptions

No data.

cve-icon MITRE

Status: PUBLISHED

Assigner: NCSC.ch

Published:

Updated: 2026-05-08T14:15:58.887Z

Reserved: 2026-05-05T12:56:43.131Z

Link: CVE-2026-44126

cve-icon Vulnrichment

Updated: 2026-05-08T14:15:55.652Z

cve-icon NVD

Status : Deferred

Published: 2026-05-08T14:16:45.560

Modified: 2026-05-08T15:51:08.590

Link: CVE-2026-44126

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-05-08T18:45:14Z

Weaknesses