SmarterMail flaw lets attackers forge sharing tokens and access email contents
SmarterTools disclosed a vulnerability in SmarterMail affecting versions prior to Build 9610, and national advisories have urged administrators to apply the vendor update. The issue is tracked as CVE-2026-40514 and has also been referenced in dCERT Advisory 2026-1257 and the Canadian Centre for Cyber Security notice AV26-398, both pointing users to SmarterTools' remediation guidance for affected deployments.
According to the CVE entry, SmarterMail's file and email sharing endpoints used DES-CBC encryption with keys and IVs derived from System.Random, leaving a seed space of roughly 19,000 values. An unauthenticated attacker could use the attachment download endpoint as an oracle to recover the active seed, derive the encryption material, and forge sharing tokens to access arbitrary emails, attachments, or file storage contents without prior authorization, creating a high-impact confidentiality risk.
Timeline
Jul 1, 2026
Exchange Online scheduled to block TLS 1.0 and 1.1 for POP3 and IMAP4
In July 2026, Exchange Online is set to stop allowing POP3 and IMAP4 connections over TLS 1.0 and 1.1, ending continued use of legacy opt-in endpoints left available after broader support ended in 2020.
Apr 28, 2026
Microsoft announces Exchange Online legacy TLS cutoff for POP and IMAP
Microsoft announced that starting in July 2026 it will block TLS 1.0 and TLS 1.1 connections for POP3 and IMAP4 clients in Exchange Online, requiring TLS 1.2 or later. The company said the move is intended to retire insecure protocols while expecting limited customer impact.
Apr 28, 2026
Canadian Centre for Cyber Security republishes SmarterMail advisory
On April 28, 2026, the Canadian Centre for Cyber Security issued advisory AV26-398 referencing SmarterTools' April 24 notice and urging administrators to update affected SmarterMail versions prior to Build 9610.
Apr 27, 2026
dCERT issues advisory 2026-1257 for SmarterMail vulnerabilities
On April 27, 2026, dCERT published advisory 2026-1257 warning of multiple vulnerabilities in SmarterTools SmarterMail that could allow unspecified attacks.
Apr 27, 2026
CVE-2026-40514 vulnerability is received for disclosure
CVE-2026-40514 was newly received by disclosure@vulncheck.com on April 27, 2026. The flaw affects SmarterMail builds before 9610 and allows unauthenticated access to shared emails, attachments, or file storage contents by exploiting weak RNG-derived DES-CBC encryption.
Apr 24, 2026
SmarterTools publishes advisory for SmarterMail vulnerability
SmarterTools published a security advisory on April 24, 2026 addressing a vulnerability in SmarterMail affecting versions prior to Build 9610, and provided an update to remediate the issue.
See the full picture in Mallory
Mallory subscribers get deeper analysis on every story, including:
Who’s affected and how
Deep-dive technical analysis
Actionable next steps for your team
IPs, domains, hashes, and more
Ask questions and take action on every story
Filter by topic, classification, timeframe
Get matching stories delivered automatically
Related Entities
Vulnerabilities
Organizations
Affected Products
Sources
Related Stories
Critical Remote Code Execution Vulnerability in SmarterMail
A critical remote code execution (RCE) vulnerability, tracked as CVE-2025-52691, has been identified in SmarterMail, affecting Build 9406 and earlier. This flaw allows unauthenticated attackers to upload arbitrary files to any location on the mail server, enabling them to execute remote code and potentially gain full control over compromised systems. The vulnerability has been assigned a CVSS score of 10.0, indicating maximum severity, and poses a significant risk of unauthorized access, data exfiltration, malware deployment, and lateral movement within affected networks. SmarterTools has released Build 9413 to address this issue, and immediate patching is strongly advised to mitigate the threat. The vulnerability was discovered by Chua Meng Han from the Centre for Strategic Infocomm Technologies (CSIT), with responsible disclosure coordinated by the Cyber Security Agency (CSA) of Singapore. Security advisories from both SmarterTools and the Canadian Centre for Cyber Security urge all users and administrators to verify their SmarterMail version and apply the update to Build 9413 or later without delay. Failure to patch leaves organizations exposed to active exploitation and potential compromise of sensitive email communications and infrastructure.
1 months ago
Critical SmarterMail Vulnerability Allowing Unauthenticated Arbitrary File Upload (CVE-2025-52691)
A critical vulnerability identified as CVE-2025-52691 has been discovered in SmarterMail, allowing unauthenticated attackers to upload arbitrary files to any location on the mail server. This flaw, rated with a CVSS score of 10, enables remote code execution, potentially giving attackers full control over affected servers. The vulnerability can be exploited without authentication, significantly increasing the risk of compromise for organizations running vulnerable versions of SmarterMail. Security advisories emphasize the severity of this issue, warning that successful exploitation could lead to the deployment of web shells or other malicious payloads, facilitating further attacks or persistent access. Organizations using SmarterMail are urged to apply available patches immediately and review server logs for signs of unauthorized file uploads or suspicious activity.
1 months ago
SmarterMail Unauthenticated File Upload RCE (CVE-2025-52691) Exposes Thousands of Internet-Facing Servers
A critical SmarterTools *SmarterMail* vulnerability, **CVE-2025-52691**, enables **remote code execution (RCE)** via an **unauthenticated arbitrary file upload** condition (CWE-434). The issue affects SmarterMail **Build 9406 and earlier** and is fixed in **Build 9413 and later**; the NVD lists a **CVSS v3.1 score of 10.0** (`CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H`). Successful exploitation can allow full server compromise, including webshell deployment, data theft, and lateral movement under the service’s privileges. Internet-wide scanning reported **8,001 likely vulnerable IPs** out of **18,783** exposed SmarterMail instances (about **42.6%** failing checks), with the largest concentration in the **United States (~5,000)** followed by the **UK** and **Malaysia**. **Public proof-of-concept exploit code** is available, increasing the likelihood of opportunistic exploitation against unpatched, internet-facing deployments; multiple national agencies reportedly issued advisories following disclosure in late December 2025.
1 months ago