SEPPmail has published a software update to fix multiple vulnerabilities. Affected versions: All versions before 15.0.3
Please update your SEPPmail VM or Appliance to the latest OS version (currently 15.0.3) immediately. This critical update is necessary to mitigate known vulnerabilities. Source: https://seppmail.statuspal.eu/info_notices/225588
- Critical: path traversal found by Infoguard CVE-2026-2743
- High: S/MIME Signature Additional Certificate CVE-2026-29140
- High: Bounded Subject Tag Sanitization CVE-2026-29141
- High: Plaintext secure-mail.html CVE-2026-29142
- High: S/MIME Decryption Impersonation CVE-2026-29143
- High: Unicode Subject Tags CVE-2026-29144
- High: GINA State Confusion Account Takeover CVE-2026-29139
- Medium: PGP Decryption Recipient LDAP Injection CVE-2026-29131
- Low: ESWmail-Verify Bypass CVE-2026-29132
- Low: UID Regex Bypass CVE-2026-29133
- Low: GINA Domain Switch CVE-2026-29134
- Low: Webmail Password Tag Sanitization Bypass CVE-2026-29135
- Low: CA Notification HTML Injection CVE-2026-29136
- Low: Long Subject Untagging CVE-2026-29137
- Low: PGP Decryption Sender LDAP Injection CVE-2026-29138
- SEPPmail also updated OpenBSD 7.7 to errata 23 and fixed a list of smaller issues.
Indicators of Compromise (IoCs) are available for some of the vulnerabilities. To check your system, our support team will need to establish a secure support connection and run a diagnostic script.
SEPPmail release notes: https://downloads.seppmail.com/extrelnotes/150/ERN15.0.html
