CVE-2026-9592

SEPPmail · SEPPmail Secure Email Gateway & SEPPmail Cloud

SEPPmail Secure Email Gateway improperly uses the GET method for sensitive operations, leading to the potential exposure of session tokens within logs or browser history.

Executive summary

A security flaw in SEPPmail Secure Email Gateway and Cloud allows for the potential exposure of sensitive session tokens through insecure GET request usage.

Vulnerability

The software exhibits a CWE-598 vulnerability where sensitive query strings containing session information are transmitted via GET requests. An unauthenticated attacker positioned on the local network could potentially intercept these tokens to facilitate session hijacking.

Business impact

The exposure of session tokens allows attackers to impersonate legitimate users, potentially leading to unauthorized access to encrypted email communications and internal administrative functions. While the CVSS score is 7.5, the risk is elevated in environments where sensitive email privacy is a primary business requirement.

Remediation

Immediate Action: Upgrade to SEPPmail version 15.0.4.2 or later, which addresses the login redirect behavior to prevent token disclosure.

Proactive Monitoring: Monitor network traffic and server logs for abnormal session handling or unexpected GET requests containing sensitive parameters.

Compensating Controls: Ensure that the gateway is deployed within a secure, isolated management network to restrict the physical or network access required for interception.

Exploitation status

Public Exploit Available: Unknown.

Analyst recommendation

Administrators must prioritize the update to version 15.0.4.2 to ensure session tokens are not inadvertently leaked. Failure to patch this issue could lead to significant breaches of confidentiality within secure communication channels.