CVE-2025-52691
CVE-2025-52691 is a critical-severity vulnerability in Smartertools Smartermail with a CVSS 3.x base score of 10.0. It is listed in CISA's Known Exploited Vulnerabilities (KEV) catalog, confirming it has been exploited in the wild (added 2026-01-26). The underlying weakness is classified as CWE-434.
Key facts
- Severity: Critical (CVSS 3.x base score 10.0)
- EPSS exploit prediction: 85% (100th percentile)
- Actively exploited: Yes — listed in CISA KEV (added 2026-01-26)
- EU (EUVD) id: EUVD-2025-205544
- EU exploitation: Flagged exploited in the ENISA EU Vulnerability Database (since 2026-01-26)
- Weakness: CWE-434
- Affected product: Smartertools Smartermail
- Published:
- Last modified:
Description
Successful exploitation of the vulnerability could allow an unauthenticated attacker to upload arbitrary files to any location on the mail server, potentially enabling remote code execution.
CVE-2025-52691: SmarterMail Unrestricted File Upload Enables Remote Code Execution
AI-generated analysis based on the vulnerability data on this page.
| Attribute | Value |
|---|---|
| CVE ID | CVE-2025-52691 |
| Product | SmarterTools SmarterMail |
| CVSS v3.1 | 10.0 (CRITICAL) |
| Vector | CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H |
| CWE | CWE-434: Unrestricted Upload of File with Dangerous Type |
| EPSS | 85.46 % (99.69th percentile) |
| KEV | Yes — added 2026-01-26 |
| Published | 2025-12-29 |
| Modified | 2026-06-17 |
Summary
A critical vulnerability in SmarterMail permits unauthenticated remote attackers to upload arbitrary files to any directory on the mail server, potentially leading to remote code execution (RCE). The flaw stems from inadequate validation of uploaded file types and paths, allowing a threat actor to place executable or configuration-altering files in sensitive locations without authentication.
Background
SmarterMail is a widely deployed email and collaboration server used by hosting providers and enterprises. The product exposes web interfaces for administration and end-user mail access. File-upload functionality is common in mail platforms for attachments, contact imports, and theme customization, making unrestricted upload vectors especially dangerous in this context.
Root Cause
The vulnerability is classified under CWE-434: Unrestricted Upload of File with Dangerous Type.
The root cause is a failure to:
- Validate or restrict the file extension and MIME type of uploaded content.
- Enforce a sandboxed or chrooted upload directory.
- Prevent path traversal or arbitrary destination selection during the upload process.
As a result, an attacker can craft a multipart upload request that places a file at an arbitrary path on the underlying server filesystem — including directories served by the web server or locations used by the operating system.
Impact
The CVSS v3.1 score of 10.0 (CRITICAL) reflects the maximum severity of this flaw:
| Metric | Value | Interpretation |
|---|---|---|
| Attack Vector (AV) | Network | Exploitable over the internet |
| Attack Complexity (AC) | Low | No special conditions required |
| Privileges Required (PR) | None | Unauthenticated exploitation |
| User Interaction (UI) | None | No victim action needed |
| Scope (S) | Changed | Impact extends beyond the vulnerable component |
| Confidentiality (C) | High | Total data disclosure possible |
| Integrity (I) | High | Total data compromise possible |
| Availability (A) | High | Total service disruption possible |
Successful exploitation grants the attacker the ability to overwrite application files, plant web shells, or modify system configurations — effectively achieving full control of the mail server.
Exploitation Walkthrough
From a defensive perspective, exploitation typically proceeds as follows:
- Reconnaissance — The attacker identifies a publicly accessible SmarterMail instance, often through certificate-transparency logs, Shodan, or Censys.
- Upload endpoint discovery — The attacker locates an unauthenticated file-upload endpoint (e.g., a theme-upload, contact-import, or attachment-handling route).
- Path traversal injection — The upload request is modified to include directory-traversal sequences (e.g.,
../../) in the filename or destination path parameter. - File placement — A file with a dangerous extension (
.aspx,.ashx,.dll,.exe, or configuration-altering files) is placed in a web-accessible or execution-sensitive directory. - Trigger — The attacker requests the newly placed file via HTTP, causing the server to execute it or load it as a module.
Ethics caveat: This description is intentionally generic and omits request payloads, exact endpoint paths, and working exploit code. Security practitioners should use this information for detection-rule development, patch prioritization, and architecture review only.
Affected and Patched Versions
The NVD record lists the vulnerable product as SmarterTools SmarterMail (cpe:2.3:a:smartertools:smartermail:*:*:*:*:*:*:*:*). Specific affected version ranges are not provided in the source data at this time.
Organizations should:
- Verify their installed SmarterMail version against the vendor's security bulletin.
- Treat all unpatched instances as potentially vulnerable until a patched release is confirmed.
Remediation
- Apply vendor patches immediately. SmarterTools is expected to release an update that restricts upload paths and validates file types. Check the vendor support portal for the latest patched version.
- Network segmentation. Place SmarterMail behind a reverse proxy or WAF that blocks path-traversal patterns and restricts upload size and type.
- Input validation. If running a custom build, enforce strict allow-list validation on uploaded file extensions and MIME types.
- File-system hardening. Ensure the web server process cannot write to directories outside a designated, non-executable upload sandbox.
- Compensating controls. If patching is delayed, consider disabling non-essential upload features or restricting admin interfaces to VPN-only access.
Detection
- Web server logs: Look for HTTP POST requests to upload endpoints containing path-traversal patterns (
../,%2e%2e%2f,%252e%252e%252f) or unexpected file extensions in multipart bodies. - File-integrity monitoring (FIM): Alert on new or modified files in web-root directories,
bin/, or application directories. - EDR/XDR rules: Trigger on child processes spawned by the SmarterMail worker process, especially
cmd.exe,powershell.exe, orw3wp.exeexecuting unfamiliar binaries. - Network traffic: Monitor for large outbound transfers or C2 beaconing patterns following anomalous upload activity.
Assessment
- EPSS of 85.46 % (99.69th percentile) indicates that exploitation in the wild is highly probable.
- CISA KEV inclusion (2026-01-26) and EUVD exploitation confirmation mean this vulnerability is actively exploited by threat actors.
- Key lessons:
- File-upload endpoints should always be authenticated, rate-limited, and sandboxed.
- A vulnerability with AV:N/AC:L/PR:N — unauthenticated, low-complexity, network-reachable — demands emergency patching timelines (hours, not days).
References
Frequently asked questions
- What is CVE-2025-52691?
- Successful exploitation of the vulnerability could allow an unauthenticated attacker to upload arbitrary files to any location on the mail server, potentially enabling remote code execution.
- How severe is CVE-2025-52691?
- CVE-2025-52691 has a CVSS 3.x base score of 10.0, rated critical severity. It is exploitable over network with low attack complexity, requires no privileges and no user interaction. Impact on confidentiality is high, integrity high, and availability high.
- Is CVE-2025-52691 being actively exploited?
- Yes. CVE-2025-52691 is on CISA's Known Exploited Vulnerabilities (KEV) catalog, added on 2026-01-26, which means active exploitation has been confirmed. It should be prioritised for remediation.
- What products are affected by CVE-2025-52691?
- CVE-2025-52691 affects Smartertools Smartermail. See the affected-products list for the exact vulnerable versions.
- How do I fix CVE-2025-52691?
- Review the linked vendor and NVD advisories for patched versions and mitigations, then upgrade or apply the recommended workaround. Because this CVE is known to be actively exploited, treat remediation as urgent — CISA KEV typically sets a short remediation deadline.
- Does CVE-2025-52691 have an EU (EUVD) identifier?
- Yes. CVE-2025-52691 is tracked in the ENISA EU Vulnerability Database (EUVD) as EUVD-2025-205544. It is also flagged as exploited in the EUVD (since 2026-01-26).
- When was CVE-2025-52691 published?
- CVE-2025-52691 was published on 2025-12-29 and last updated on 2026-06-17.
References
- https://www.csa.gov.sg/alerts-and-advisories/alerts/al-2025-124/
- https://github.com/watchtowrlabs/watchTowr-vs-SmarterMail-CVE-2025-52691?ref=labs.watchtowr.com
- https://www.cisa.gov/known-exploited-vulnerabilities-catalog?field_cve=CVE-2025-52691
Affected products (1)
- cpe:2.3:a:smartertools:smartermail:*:*:*:*:*:*:*:*
More vulnerabilities in Smartertools Smartermail
- CVE-2026-24423 — Critical (CVSS 9.8): SmarterTools SmarterMail versions prior to build 9511 contain an unauthenticated remote code execution vulnerability in…
- CVE-2026-23760 — Critical (CVSS 9.8): SmarterTools SmarterMail versions prior to build 9511 contain an authentication bypass vulnerability in the password…
- CVE-2021-32234 — Critical (CVSS 9.8): SmarterTools SmarterMail 16.x through 100.x before 100.0.7803 allows remote code execution.
- CVE-2019-7214 — Critical (CVSS 9.8): SmarterTools SmarterMail 16.x before build 6985 allows deserialization of untrusted data. An unauthenticated attacker…
- CVE-2019-7212 — High (CVSS 8.2): SmarterTools SmarterMail 16.x before build 6985 has hardcoded secret keys. An unauthenticated attacker could access…
- CVE-2026-7807 — High (CVSS 8.1): SmarterTools SmarterMail builds prior to 9560 contain a local file inclusion vulnerability in the…
All CVEs affecting Smartertools Smartermail →
Other CWE-434 (Unrestricted Upload of File with Dangerous Type) vulnerabilities
- CVE-2026-48283 — Critical (CVSS 10.0): ColdFusion versions 2025.9, 2023.20 and earlier are affected by an Unrestricted Upload of File with Dangerous Type…
- CVE-2026-48276 — Critical (CVSS 10.0): ColdFusion versions 2025.9, 2023.20 and earlier are affected by an Unrestricted Upload of File with Dangerous Type…
- CVE-2026-57700 — Critical (CVSS 10.0): Unrestricted Upload of File with Dangerous Type vulnerability in Daan.Dev OMGF Pro allows Using Malicious Files. This…
- CVE-2025-69129 — Critical (CVSS 10.0): Unauthenticated Arbitrary File Upload in WordPress & WooCommerce Scraper Plugin, Import Data from Any Site <= 1.0.7…
- CVE-2026-40772 — Critical (CVSS 10.0): Unauthenticated Arbitrary File Upload in GeekyBot <= 1.2.2 versions.
- CVE-2026-40412 — Critical (CVSS 10.0): Unrestricted upload of file with dangerous type in Azure Orbital Spatio allows an unauthorized attacker to execute code…
Browse all CWE-434 (Unrestricted Upload of File with Dangerous Type) vulnerabilities →