CVE-2026-29143
Published: 02 April 2026
Summary
CVE-2026-29143 is a critical-severity Improper Input Validation (CWE-20) vulnerability in Seppmail Secure Email Gateway. Its CVSS base score is 9.1 (Critical).
Operationally, exploitation aligns with the MITRE ATT&CK technique Exploit Public-Facing Application (T1190); ranked at the 18.2th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog.
The strongest mitigations our analysis identified are NIST 800-53 SI-10 (Information Input Validation) and SI-2 (Flaw Remediation).
Threat & Defense at a Glance
Threat & Defense Details
Mitigating Controls (NIST 800-53 r5)AI
Directly requires validation of information inputs such as S/MIME-encrypted MIME entities to prevent attackers from controlling trusted headers due to improper input validation.
Ensures timely identification, reporting, and remediation of flaws like CVE-2026-29143 through patching to version 15.0.3 or later.
Mandates cryptographic mechanisms to protect against unauthorized modification or manipulation of S/MIME-encrypted content, addressing the failure to authenticate inner messages.
MITRE ATT&CK Enterprise TechniquesAI
Why these techniques?
The vulnerability enables remote unauthenticated exploitation of a public-facing email gateway application (SEPPmail Secure Email Gateway) via crafted S/MIME-encrypted emails, directly mapping to T1190: Exploit Public-Facing Application.
NVD Description
SEPPmail Secure Email Gateway before version 15.0.3 does not properly authenticate the inner message of S/MIME-encrypted MIME entities, allowing an attacker to control trusted headers.
Deeper analysisAI
CVE-2026-29143 is a critical vulnerability in SEPPmail Secure Email Gateway versions prior to 15.0.3, published on 2026-04-02. It arises from improper authentication of the inner message within S/MIME-encrypted MIME entities (CWE-20: Improper Input Validation), which allows an attacker to control trusted headers. The issue carries a CVSS v3.1 base score of 9.1 (AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:N), reflecting network accessibility, low attack complexity, no required privileges or user interaction, and high impacts on confidentiality and integrity with no availability disruption.
A remote, unauthenticated attacker can exploit this vulnerability over the network by crafting malicious S/MIME-encrypted emails. With low complexity and no need for user interaction, exploitation enables control over trusted headers in processed emails, potentially allowing spoofing of sender information, manipulation of email metadata, or bypass of gateway security checks that rely on those headers.
The SEPPmail extended release notes for version 15.0 detail the vulnerability disclosure and confirm that it is fixed in version 15.0.3. Security practitioners should prioritize upgrading affected SEPPmail Secure Email Gateway installations to 15.0.3 or later to mitigate this issue.
Details
- CWE(s)