CVE-2026-44128 et al. — SEPPmail Secure Email Gateway: six-CVE cluster on the Swiss public sector's dominant email-encryption appliance

If you did nothing this week: any unpatched SEPPmail instance still operating its GINAv2 portal on internet-accessible TCP/443 is exposing the /gina/diag/exec test/diagnostic endpoint — left active in the v15.0.x release cycle by the vendor — which accepts unvalidated shell command arguments and invokes Runtime.exec() as the Tomcat application user. A single HTTP request https://<gina-hostname>/gina/diag/exec?cmd=id confirms execution context; the same primitive reads /var/seppmail/conf/gina.properties (LDAP bind, SMTP credentials, S/MIME key-store symmetric key) and writes a web shell under webapps/. No authentication, no rate-limiting, no network boundary enforced (NCSC-CH Security Hub post 12551, 2026-05-08 · SEPPmail release notes v15.0 · daily 2026-05-09 deep dive).

SEPPmail AG (Steinach SG) is the dominant cryptographic email-processing gateway in the Swiss public sector — cantonal administrations, Swiss federal bodies (EJPD/DFJP, SECO, cantonal courts), university hospitals, and a substantial share of private healthcare and finance route sensitive email through SEPPmail infrastructure. The GINAv2 portal is by design internet-accessible to external recipients (who click a secure-email notification link, authenticate or self-register, and retrieve encrypted content). The vulnerability cluster covers six CVEs: CVE-2026-44128 (CVSS 9.3, unauth RCE via test endpoints, T1190); CVE-2026-44125 (CVSS 9.3, missing authentication on /gina/api/v1/admin/ allowing full configuration export including SMTP credentials, LDAP bind password, and the AES key protecting stored S/MIME keys — T1078.001, T1552.001); CVE-2026-44126 (CVSS 9.2, insecure session deserialisation reachable unauthenticated via a GINA_SESSION=../../uploads/... path-traversal cookie value that combines with the un-authenticated /gina/upload/certificate upload to stage a Java gadget chain — T1190); CVE-2026-44127 (CVSS 8.8, LFI and arbitrary file deletion in the appliance management interface — T1083, T1070.002); CVE-2026-44129 (CVSS 8.3, Freemarker SSTI via notification-email customisation — T1059.007); CVE-2026-7864 (CVSS 6.9, information disclosure). No in-the-wild exploitation confirmed as of week-end; all three CRITICAL paths are pre-authentication.

Patch path: SEPPmail 15.0.4 (patch 15.0.4.1) via the standard SEPPmail update channel; if patching is delayed, block source IPs outside the designated admin CIDR from /gina/diag/ and /gina/api/v1/admin/ paths at WAF or perimeter. Rotate LDAP bind credentials, SMTP relay credentials, and the S/MIME key-store password after patching regardless of whether exploitation is suspected — the compromise blast radius via CVE-2026-44125 alone reads every credential the appliance stores in cleartext. The Swiss Federal Chancellery ICT security baseline (Sicherheitsstandard IKT des Bundes / ISBB) classifies email-gateway compromise as a Level 3 incident requiring escalation to NCSC-CH within 24 hours; BSI IT-Grundschutz module APP.4.4 brings the same gateway into DACH organisations' ISMS scope.