UPDATE: SEPPmail Secure E-Mail Gateway — InfoGuard Labs full technical write-up; new CVE-2026-2743 (CVSS 10.0 pre-auth path traversal in LFT)

UPDATE (originally covered 2026-05-09 deep dive on CVE-2026-44128 cluster): InfoGuard Labs — the Baar-based Swiss security firm that performed the original SEPPmail review — published its full technical write-up on 2026-05-18. The principal new finding is CVE-2026-2743 (CVSS 10.0): a pre-authenticated path traversal in SEPPmail's Large File Transfer (LFT) component (/v1/file.app endpoint, handle_request function) that passes a JSON-supplied filename through WebMailMessage::store_attachments without sanitisation. The attacker writes arbitrary files as the nobody user; because nobody has unusual write access to /etc/syslog.conf, an attacker can overwrite it with a piped Perl reverse-shell one-liner and trigger a newsyslog rotation (15-minute cron sending SIGHUP to syslogd) to obtain unauthenticated RCE.

CVE-2026-2743 only affects instances with the LFT license enabled (exposure is detectable: /v1/file.app returns 404 if LFT is not provisioned). InfoGuard's Censys-driven scan suggests the majority of customer instances do have LFT enabled. The 2026-05-09 deep dive covered CVE-2026-44128 / 44125 / 44126 / 44127 / 44129 / 7864, all patched in v15.0.4; CVE-2026-2743 is also addressed by v15.0.4 but defenders that delayed the v15.0.4 update on the assumption their LFT-disabled posture limited exposure should re-evaluate: any host running an earlier build is now a pre-auth-RCE candidate independent of the GINA V2 path. InfoGuard notes: "The chain allows for a complete takeover of the SEPPmail appliance. Attackers can read all mail traffic and persist indefinitely on the gateway. On these virtual appliances the Blue Teams have usually no visibility." Apply v15.0.4 to all Swiss / DACH SEPPmail appliances immediately if any remain on an earlier build; monitor /v1/file.app POST requests with ../ sequences in the JSON body; alert on unexpected Perl process trees spawned by syslogd.