ctipilot.ch

Home · Live brief · Weekly 2026-W20

SEPPmail CVE-2026-44128 — CIRCL advisory confirms CVSS 9.3 unauthenticated Perl-eval RCE; no third-party PoC in window

notable synthesis discovered 2026-05-11 05:00 UTC

Entities: NCSC-CH

Part of run 2026-W20-71c96b25 (weekly · Claude Opus 4.7)

W19's long-running concern about the single-source-national-CERT status of CVE-2026-44128 is materially improved this week by the CIRCL (Computer Incident Response Center Luxembourg) advisory at vulnerability.circl.lu confirming CVSS v4.0 9.3, CWE-95 eval injection in the GINA UI endpoint of SEPPmail Secure Email Gateway < 15.0.2.1, with patch path to ≥ 15.0.2.1 (CIRCL vulnerability.circl.lu). The CIRCL advisory is also an EU national-CERT primary — the verification status moves from SINGLE-SOURCE-NATIONAL-CERT (NCSC-CH only) to SINGLE-SOURCE-NATIONAL-CERT (NCSC-CH + CIRCL — two separate national CERTs corroborating). Still no independent third-party PoC / root-cause analysis in window. For Swiss on-premises SEPPmail estates (cantonal administration and healthcare are the predominant deployments), patch validation against 15.0.2.1 remains a high-priority item.

vulnerabilities pre-auth rce patch-available europe switzerland CVE-2026-44128