CVE-2026-44125 SEPPmail AG CVE debrief

Who should care

Organizations operating SEPPmail Secure Email Gateway versions prior to 15.0.4, particularly those with externally accessible administrative interfaces. Security teams responsible for email gateway infrastructure and identity/access management controls should prioritize this patch.

Technical summary

The vulnerability exists in the new GINA UI component of SEPPmail Secure Email Gateway. Multiple endpoints within this interface do not properly validate session authentication state before processing requests. This missing authorization check (CWE-862) permits unauthenticated remote attackers to invoke functionality that should be restricted to authenticated administrative sessions. The CVSS 4.0 vector (AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H) reflects network exploitability with no required privileges or user interaction, and high impacts across confidentiality, integrity, and availability dimensions.

Defensive priority

critical

Recommended defensive actions

• Upgrade SEPPmail Secure Email Gateway to version 15.0.4 or later
• Review access logs for unauthorized access to GINA UI endpoints prior to patching
• Implement network segmentation to restrict access to SEPPmail administrative interfaces
• Monitor for anomalous activity on SEPPmail systems until patching is complete

Evidence notes

Vulnerability description and affected product version derived from official CVE record and vendor release notes. CVSS 4.0 vector indicates network attack vector with low attack complexity, no privileges required, and high impact to confidentiality, integrity, and availability. CWE-862 (Missing Authorization) identified as the weakness type.

Official resources