CVE-2025-52691
SmarterTools SmarterMail Remote Code Execution via Unauthenticated Arbitrary File Upload | Critical
CVE-2025-52691 is a critical vulnerability in SmarterTools SmarterMail that allows an unauthenticated attacker to upload arbitrary files to arbitrary locations on the mail server, potentially enabling remote code execution. While there hasn’t been reports of active exploitation, the ease of exploit, prevalence of internet-exposed instances, and seriousness and likelihood of full compromise upon an attack make finding and addressing risk highly urgent for organizations leveraging this tool.
SmarterMail builds 9406 and earlier are affected, and SmarterTools released a fix in Build 9413; more recent builds will also include the patch.
Stop Guessing, Start Proving
Technical Details
- The root issue is an unauthenticated arbitrary file upload that allows attackers to write files outside intended upload paths.
- If an attacker can place a server-interpreted file in an executable context, this can result in remote code execution with the privileges of the SmarterMail service.
- Severity is maximum: CVSS 3.1 score 10.0.
NodeZero® Offensive Security Platform — Rapid Response
The SmarterTools SmarterMail Rapid Response test (CVE-2025-52691) released Jan. 12, 2026 enables customers to safely verify whether SmarterMail instances are exploitable to this unauthenticated file upload flaw (and therefore susceptible to full compromise) and to confirm remediation.
- Run the Rapid Response test – run the SmarterTools SmarterMail – CVE-2025-52691 Rapid Response test from the customer portal to identify vulnerable, reachable SmarterMail instances.
- Patch immediately – upgrade SmarterMail to Build 9413 or later. If you can, upgrade to the latest available build per vendor guidance.
- Re-run the Rapid Response test – after upgrading, re-run the Rapid Response test to confirm the vulnerability is no longer exploitable.
If the Rapid Response test confirms exploitability, treat the host as potentially compromised, preserve relevant logs, isolate the system, and engage incident response.
Indicators of Compromise (IOCs) — hunting guidance
| Indicator | Type | Description / detection tips |
| Unusual HTTP(S) requests to SmarterMail web interface | Network / Web | Look for spikes in requests, suspicious multipart/form-data uploads, or anomalous user agents from unknown sources near the time of suspected activity. |
| Unexpected file creation under SmarterMail install paths or web-accessible directories | Host / File | Alert on new or modified files in directories served by the SmarterMail web app and on unexpected writes by the SmarterMail service account. |
| Web process spawning unusual child processes | Host / Behavior | Watch for unexpected child processes from the SmarterMail web worker / service processes (for example shells, scripting engines, or binary execution). |
| New scheduled tasks, services, or persistence artifacts shortly after suspicious web activity | Host / Persistence | Correlate persistence creation with prior anomalous web requests and file write events. |
| Anomalous outbound connections from the mail server | Network | Look for new egress destinations, beaconing patterns, or outbound data transfers following suspicious web activity. |
Affected Versions & Patch
- CVE-2025-52691: SmarterMail Build 9406 and earlier are affected.
- Patch: upgrade to SmarterMail Build 9413 or later. CSA explicitly advises updating to Build 9413.
Recommended actions (summary)
- Inventory & scope – identify all SmarterMail instances, especially internet-exposed deployments.
- Run validation – use the Rapid Response test to confirm whether each instance is exploitable.
- Patch – upgrade to Build 9413 or later, then verify the deployed build across all nodes.
- Reduce exposure until patched – restrict administrative and web access to trusted networks, and consider temporarily limiting external reachability where feasible.
- Hunt for compromise – review web logs, file creation events, process telemetry, and outbound connections around the patch window; patching does not remediate historical compromise.
References
🔗 Censys advisory (Dec 30, 2025)
🔗 CSA Alert AL-2025-124 (Vulnerability in SmarterTools Software)
🔗 The Hacker News coverage (Dec 30, 2025)
🔗 CCB Belgium advisory (Dec 29, 2025)
