A important pre-authentication distant code execution vulnerability, recognized as CVE-2025-52691, has been found in SmarterTools’ SmarterMail resolution.
The flaw obtained a most CVSS rating of 10.0, indicating its extreme nature and potential impression on affected programs.
SmarterTools describes SmarterMail as “a safe, all-in-one enterprise e-mail and collaboration server for Home windows and Linux – an inexpensive Microsoft Change various.” The platform is extensively utilized by organizations in search of e-mail server options.
CVE IDCVSS ScoreVulnerability TypeAffected VersionsCVE-2025-5269110.0 (Important)Pre-Authentication Distant Code ExecutionBuild 9406 and earlier
Safety researchers at Singapore’s Centre for Strategic Infocomm Applied sciences (CSIT) found the vulnerability, which exploits an unauthenticated file-upload endpoint within the utility.
notification of vulnerability
The flaw exists within the /api/add route, particularly inside the FileUploadController.Add methodology that requires no authentication to entry.
The vulnerability leverages a path traversal weak point within the GUID parameter validation.
Attackers can manipulate the contextData parameter to incorporate a malicious GUID worth, thereby bypassing the restricted add listing and writing arbitrary recordsdata to any location on the system, together with web-accessible directories.
By crafting a specifically formatted multipart/form-data HTTP request with path traversal sequences.
path traversal exploit
Menace actors can add malicious ASPX webshells to the server’s root listing, attaining full distant code execution with out authentication.
The vulnerability was silently fastened in construct 9413, launched on October 10, 2025. Nevertheless, the official advisory from Singapore’s Cyber Safety Company (CSA) wasn’t printed till late December 2025.
This three-month hole raised considerations about silent patching practices, as clients remained unaware of the important vulnerability for roughly 2.5 months after the repair was deployed.
WatchTowr Labs has launched a Detection Artifact Generator on GitHub to assist organizations establish their publicity and construct detection rulesets.
safety fixes
The instrument has been verified on each Home windows installations with newer builds and older variations.
Organizations operating SmarterMail ought to instantly replace to construct 9413 or later to guard towards potential exploitation of this important vulnerability.
Comply with us on Google Information, LinkedIn, and X for every day cybersecurity updates. Contact us to characteristic your tales.
