SmarterMail Unauthenticated File Upload RCE (CVE-2025-52691) Exposes Thousands of Internet-Facing Servers
A critical SmarterTools SmarterMail vulnerability, CVE-2025-52691, enables remote code execution (RCE) via an unauthenticated arbitrary file upload condition (CWE-434). The issue affects SmarterMail Build 9406 and earlier and is fixed in Build 9413 and later; the NVD lists a CVSS v3.1 score of 10.0 (CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H). Successful exploitation can allow full server compromise, including webshell deployment, data theft, and lateral movement under the service’s privileges.
Internet-wide scanning reported 8,001 likely vulnerable IPs out of 18,783 exposed SmarterMail instances (about 42.6% failing checks), with the largest concentration in the United States (~5,000) followed by the UK and Malaysia. Public proof-of-concept exploit code is available, increasing the likelihood of opportunistic exploitation against unpatched, internet-facing deployments; multiple national agencies reportedly issued advisories following disclosure in late December 2025.
Timeline
Jan 13, 2026
Admins urged to upgrade SmarterMail to patched builds
Security reporting advised administrators to upgrade to SmarterMail Build 9413 or later, preferably Build 9483, and to apply interim mitigations such as restricting admin access and monitoring for suspicious uploads. This guidance was issued in response to the continued exposure of vulnerable internet-facing servers.
Jan 13, 2026
Public PoC exploit for CVE-2025-52691 becomes available
Public proof-of-concept exploit code was released for CVE-2025-52691, including examples such as ASPX webshell-based remote code execution. The availability of simple PoCs increased the risk of opportunistic attacks against exposed servers.
Jan 13, 2026
SmarterMail RCE flaw CVE-2025-52691 is identified
A critical unauthenticated arbitrary file upload vulnerability, tracked as CVE-2025-52691, was identified in SmarterTools SmarterMail. The flaw affects Build 9406 and earlier and can lead to remote code execution under the service's privileges.
Jan 12, 2026
Internet scan finds 8,000+ exposed SmarterMail servers still vulnerable
Internet-wide scans conducted on January 12, 2026 found more than 8,000 internet-exposed SmarterMail servers still vulnerable to CVE-2025-52691. Shadowserver UK and Censys data indicated widespread exposure, with the United States hosting the largest number of affected instances.
See the full picture in Mallory
Mallory subscribers get deeper analysis on every story, including:
Who’s affected and how
Deep-dive technical analysis
Actionable next steps for your team
IPs, domains, hashes, and more
Ask questions and take action on every story
Filter by topic, classification, timeframe
Get matching stories delivered automatically
Related Entities
Vulnerabilities
Affected Products
Sources
Related Stories
Critical SmarterMail Vulnerability Allowing Unauthenticated Arbitrary File Upload (CVE-2025-52691)
A critical vulnerability identified as CVE-2025-52691 has been discovered in SmarterMail, allowing unauthenticated attackers to upload arbitrary files to any location on the mail server. This flaw, rated with a CVSS score of 10, enables remote code execution, potentially giving attackers full control over affected servers. The vulnerability can be exploited without authentication, significantly increasing the risk of compromise for organizations running vulnerable versions of SmarterMail. Security advisories emphasize the severity of this issue, warning that successful exploitation could lead to the deployment of web shells or other malicious payloads, facilitating further attacks or persistent access. Organizations using SmarterMail are urged to apply available patches immediately and review server logs for signs of unauthorized file uploads or suspicious activity.
1 months ago
Critical Remote Code Execution Vulnerability in SmarterMail
A critical remote code execution (RCE) vulnerability, tracked as CVE-2025-52691, has been identified in SmarterMail, affecting Build 9406 and earlier. This flaw allows unauthenticated attackers to upload arbitrary files to any location on the mail server, enabling them to execute remote code and potentially gain full control over compromised systems. The vulnerability has been assigned a CVSS score of 10.0, indicating maximum severity, and poses a significant risk of unauthorized access, data exfiltration, malware deployment, and lateral movement within affected networks. SmarterTools has released Build 9413 to address this issue, and immediate patching is strongly advised to mitigate the threat. The vulnerability was discovered by Chua Meng Han from the Centre for Strategic Infocomm Technologies (CSIT), with responsible disclosure coordinated by the Cyber Security Agency (CSA) of Singapore. Security advisories from both SmarterTools and the Canadian Centre for Cyber Security urge all users and administrators to verify their SmarterMail version and apply the update to Build 9413 or later without delay. Failure to patch leaves organizations exposed to active exploitation and potential compromise of sensitive email communications and infrastructure.
1 months ago
Active Exploitation of SmarterMail Authentication Bypass Leading to Admin Takeover and RCE
Internet-wide scanning identified **6,000+ SmarterTools SmarterMail** servers exposed online and likely vulnerable to **CVE-2026-23760**, a **critical authentication bypass** in the password reset API that enables **unauthenticated admin account takeover** and can lead to **remote code execution**. The flaw affects SmarterMail versions prior to **build 9511** and abuses the `/api/v1/auth/force-reset-password` (aka `force-reset-password`) endpoint, which allows anonymous password resets for administrator accounts without validating the existing password or requiring a reset token. SmarterTools issued a fix on **January 15, 2026** (later assigned CVE-2026-23760), and Shadowserver reported large-scale exposure with thousands of instances flagged as “likely vulnerable,” including heavy concentration in North America and additional exposure in Asia. Multiple sources reported **active exploitation** shortly after patch availability, with observed attacker behavior consistent with automated hijacking: resetting admin credentials, obtaining authenticated access, and then leveraging SmarterMail administrative capabilities to execute OS-level commands. Huntress reported attackers creating malicious **System Events** to run reconnaissance commands and establish persistence, while watchTowr (which reported the issue to SmarterTools) received additional reports of exploitation in production environments. The reporting also notes this disclosure follows closely after another critical pre-auth SmarterMail issue (**CVE-2025-52691**), reinforcing that unpatched, internet-exposed SmarterMail deployments are being actively targeted.
1 months ago