Critical unauthenticated file upload vulnerability in SmarterMail email servers allowing arbitrary file upload to any server location, leading to remote code execution. Active exploitation is occurring in the wild against internet-facing mail servers.
Data Source: CIRCL
Confidence: HIGH
Exploitation Method: DIRECT_NETWORK
CVE Published: 2025-12-29
Added to CISA KEV: 2026-01-26 28 DAYS BETWEEN CVE AND KEV
CVE-2025-52691 stems from an unauthenticated arbitrary file upload flaw in SmarterMail versions Build 9406 and earlier.Public PoCs on platforms like Sploitus demonstrate simple HTTP requests for file uploads, escalating to RCE via ASPX webshells. No widespread in-the-wild exploitation is confirmed yet, but the public exploits heighten risks for unpatched mail servers directly internet-facing. Administrators must upgrade to SmarterMail Build 9413 or later, ideally the newest Build 9483, for remediation.
... CVE-2025-52691 stems from a .NET file upload handler lacking authorization and validation, allowing POST requests to place files in arbitrary paths like /App_Data/ or web roots. ... Affected versions : SmarterMail Build 9406 and earlier ; fixed in Build 9413 (Oct 9, 2025), latest 9483 (Dec 18, 2025). ... Attack surface : Thousands of internet-facing SmarterMail instances; no auth lowers barrier to mass scanning/exploitation.
A new security flaw in SmarterTools SmarterMail email software has come under active exploitation in the wild, two days after the release of a patch.The Hacker News has reached out to SmarterTools for comment, and we will update the story if we hear back. The development comes less than a month after the Cyber Security Agency of Singapore (CSA) disclosed details of a maximum-severity security flaw in SmarterMail (CVE-2025-52691, CVSS score: 10.0) that could be exploited to achieve remote code execution.
For the benefit of the cybersecurity community and network defenders—and to help every organization better manage vulnerabilities and keep pace with threat activity—CISA maintains the authoritative source of vulnerabilities that have been exploited in the wild. Organizations should use the KEV catalog as an input to their vulnerability management prioritization framework.How to use the KEV ...
CVE-2025-52691. View the latest critical CVEs issued This is a free service offered by Red Hot Cyber to the community.Description: Successful exploitation of the vulnerability could allow an unauthenticated attacker to upload arbitrary files to any location on the mail server, potentially enabling remote code execution. CVSS Base Score: 10.0 (v3.1).