SEPPmail Secure Email Gateway — unauthenticated RCE via exposed GINAv2 test endpoints (CVSS 9.3)

W19's long-running concern about the single-source-national-CERT status of CVE-2026-44128 is materially improved this week by the CIRCL (Computer Incident Response Center Luxembourg) advisory at vulnerability.circl.lu confirming CVSS v4.0 9.3, CWE-95 eval injection in the GINA UI endpoint of SEPPmail Secure Email Gateway < 15.0.2.1, with patch path to ≥ 15.0.2.1 (CIRCL vulnerability.circl.lu). The CIRCL advisory is also an EU national-CERT primary — the verification status moves from SINGLE-SOURCE-NATIONAL-CERT (NCSC-CH only) to SINGLE-SOURCE-NATIONAL-CERT (NCSC-CH + CIRCL — two separate national CERTs corroborating). Still no independent third-party PoC / root-cause analysis in window. For Swiss on-premises SEPPmail estates (cantonal administration and healthcare are the predominant deployments), patch validation against 15.0.2.1 remains a high-priority item.

If you did nothing this week: any unpatched SEPPmail instance still operating its GINAv2 portal on internet-accessible TCP/443 is exposing the /gina/diag/exec test/diagnostic endpoint — left active in the v15.0.x release cycle by the vendor — which accepts unvalidated shell command arguments and invokes Runtime.exec() as the Tomcat application user. A single HTTP request https://<gina-hostname>/gina/diag/exec?cmd=id confirms execution context; the same primitive reads /var/seppmail/conf/gina.properties (LDAP bind, SMTP credentials, S/MIME key-store symmetric key) and writes a web shell under webapps/. No authentication, no rate-limiting, no network boundary enforced (NCSC-CH Security Hub post 12551, 2026-05-08 · SEPPmail release notes v15.0 · daily 2026-05-09 deep dive).

SEPPmail AG (Steinach SG) is the dominant cryptographic email-processing gateway in the Swiss public sector — cantonal administrations, Swiss federal bodies (EJPD/DFJP, SECO, cantonal courts), university hospitals, and a substantial share of private healthcare and finance route sensitive email through SEPPmail infrastructure. The GINAv2 portal is by design internet-accessible to external recipients (who click a secure-email notification link, authenticate or self-register, and retrieve encrypted content). The vulnerability cluster covers six CVEs: CVE-2026-44128 (CVSS 9.3, unauth RCE via test endpoints, T1190); CVE-2026-44125 (CVSS 9.3, missing authentication on /gina/api/v1/admin/ allowing full configuration export including SMTP credentials, LDAP bind password, and the AES key protecting stored S/MIME keys — T1078.001, T1552.001); CVE-2026-44126 (CVSS 9.2, insecure session deserialisation reachable unauthenticated via a GINA_SESSION=../../uploads/... path-traversal cookie value that combines with the un-authenticated /gina/upload/certificate upload to stage a Java gadget chain — T1190); CVE-2026-44127 (CVSS 8.8, LFI and arbitrary file deletion in the appliance management interface — T1083, T1070.002); CVE-2026-44129 (CVSS 8.3, Freemarker SSTI via notification-email customisation — T1059.007); CVE-2026-7864 (CVSS 6.9, information disclosure). No in-the-wild exploitation confirmed as of week-end; all three CRITICAL paths are pre-authentication.

Patch path: SEPPmail 15.0.4 (patch 15.0.4.1) via the standard SEPPmail update channel; if patching is delayed, block source IPs outside the designated admin CIDR from /gina/diag/ and /gina/api/v1/admin/ paths at WAF or perimeter. Rotate LDAP bind credentials, SMTP relay credentials, and the S/MIME key-store password after patching regardless of whether exploitation is suspected — the compromise blast radius via CVE-2026-44125 alone reads every credential the appliance stores in cleartext. The Swiss Federal Chancellery ICT security baseline (Sicherheitsstandard IKT des Bundes / ISBB) classifies email-gateway compromise as a Level 3 incident requiring escalation to NCSC-CH within 24 hours; BSI IT-Grundschutz module APP.4.4 brings the same gateway into DACH organisations' ISMS scope.

NCSC-CH published advisory post 12551 on 2026-05-08 covering six CVEs in SEPPmail Secure Email Gateway patched in version 15.0.4 (patch 15.0.4.1). SEPPmail is a Swiss company (Steinach SG) whose gateway handles S/MIME, PGP, and TLS email encryption for Swiss federal agencies, cantonal administrations, healthcare providers, and DACH-region enterprises. See § 6 for the full technical breakdown. Vulnerability summary: CVE-2026-44128 (CVSS 9.3 CRITICAL) — unauthenticated RCE via test/development HTTP endpoints left active in the GINAv2 component; CVE-2026-44125 (CVSS 9.3 CRITICAL) — missing authorisation in GINAv2 enabling unauthenticated administrative access and file manipulation; CVE-2026-44126 (CVSS 9.2 CRITICAL) — insecure deserialisation enabling full gateway takeover; CVE-2026-44127 (CVSS 8.8 HIGH) — local file inclusion and arbitrary file deletion; CVE-2026-44129 (CVSS 8.3 HIGH) — server-side template injection; CVE-2026-7864 (CVSS 6.9 MEDIUM). No exploitation has been confirmed; all critical paths are pre-authentication (NCSC-CH advisory 12551, 2026-05-08 · SEPPmail release notes v15.0).