🔴 CVE-2025-52691

Critical unauthenticated file upload vulnerability in SmarterMail email servers allowing arbitrary file upload to any server location, leading to remote code execution. Active exploitation is occurring in the wild against internet-facing mail servers.

← Back to Overview
HIGH_RISK
Risk Level
10.0
CVSS Score
NETWORK
Attack Vector
Initial Access
ATT&CK Tactic
T1190 — Exploit Public-Facing Application
ATT&CK Technique
VERY_HIGH
Deployment Risk
Yes (+85d)
Ransomware

📋 Vulnerability Details

Data Source: CIRCL

Confidence: HIGH

Exploitation Method: DIRECT_NETWORK

CVE Published: 2025-12-29

Added to CISA KEV: 2026-01-26 28 DAYS BETWEEN CVE AND KEV

🎯 Recommendations:

🔍 Web Intelligence (Kagi · 2026-01-26)

CVE-2025-52691 is a critical vulnerability affecting SmarterTools SmarterMail email server software.

Here's what is known about its exploitation:

  • Internet-Facing Applications/Services: The vulnerability specifically impacts internet-facing SmarterMail instances [1][8]. SmarterMail is described as a business email and collaboration server, often used as an alternative to Microsoft Exchange [7].
  • Evidence of Active Exploitation: There is evidence of active exploitation in the wild [3]. Reports indicate that exploitation began shortly after a patch was released [3]. Public Proofs of Concept (PoCs) are available, demonstrating how attackers can exploit the vulnerability [1].
  • Attack Vectors and Exploitation Methods: The vulnerability allows an unauthenticated attacker to upload arbitrary files to any location on the mail server [5][6]. This is achieved through a file upload handler that lacks authorization and validation, enabling POST requests to place files in arbitrary paths [2]. Successful exploitation can lead to remote code execution (RCE) [6][9]. Public PoCs show simple HTTP requests for file uploads, escalating to RCE via ASPX webshells [1].
  • Targeted Attacks: While widespread exploitation is not yet confirmed, the public availability of exploits increases the risk for unpatched, internet-facing mail servers, suggesting potential for both mass scanning and targeted attacks [1].
  • CISA Known Exploited Vulnerabilities (KEV) Status: As of the provided information, CVE-2025-52691 is not listed on the CISA Known Exploited Vulnerabilities (KEV) Catalog [4][14]. CISA maintains this catalog of vulnerabilities that have been exploited in the wild to help organizations prioritize their vulnerability management.
  • Technical Details about Internet Exploitability: The vulnerability is a pre-authentication RCE [11][13]. This means an attacker does not need to authenticate to the SmarterMail server to exploit it, significantly lowering the barrier to entry for exploitation [2][10]. The affected versions are SmarterMail Build 9406 and earlier, with fixes available in Build 9413 and later [9][12]. The vulnerability has a CVSS Base Score of 10.0, indicating its critical severity [5][15].

Sources

  1. 8000+ SmarterMail Hosts Vulnerable to RCE Attack - PoC Exploit Released

    CVE-2025-52691 stems from an unauthenticated arbitrary file upload flaw in SmarterMail versions Build 9406 and earlier.Public PoCs on platforms like Sploitus demonstrate simple HTTP requests for file uploads, escalating to RCE via ASPX webshells. No widespread in-the-wild exploitation is confirmed y…

  2. CVE-2025-52691: Critical Unauthenticated RCE in

    ... CVE-2025-52691 stems from a .NET file upload handler lacking authorization and validation, allowing POST requests to place files in arbitrary paths like /App_Data/ or web roots. ... Affected versions : SmarterMail Build 9406 and earlier ; fixed in Build 9413 (Oct 9, 2025), latest 9483 (Dec 18,…

  3. SmarterMail Auth Bypass Exploited in the Wild Two Days After Patch Release

    A new security flaw in SmarterTools SmarterMail email software has come under active exploitation in the wild, two days after the release of a patch.The Hacker News has reached out to SmarterTools for comment, and we will update the story if we hear back. The development comes less than a month afte…

  4. Known Exploited Vulnerabilities Catalog - CISA

    For the benefit of the cybersecurity community and network defenders—and to help every organization better manage vulnerabilities and keep pace with threat activity—CISA maintains the authoritative source of vulnerabilities that have been exploited in the wild. Organizations should use the KEV catal…

  5. Security Vulnerability CVE-2025-52691 - Complete Analysis and Details

    CVE-2025-52691. View the latest critical CVEs issued This is a free service offered by Red Hot Cyber to the community.Description: Successful exploitation of the vulnerability could allow an unauthenticated attacker to upload arbitrary files to any location on the mail server, potentially enabling r…

Generated by PatchNow Intelligence System

Analysis based on CIRCL.LU data, Claude AI assessment, and MITRE ATT&CK framework

📄 Download JSON Data | 📡 RSS Feed