SmarterTools has issued an urgent security advisory regarding a critical vulnerability in its widely used SmarterMail software.
The flaw, which carries the highest possible severity score, could allow unauthenticated attackers to completely take over affected mail servers.
The vulnerability, tracked as CVE-2025-52691, has been assigned a CVSS v3.1 score of 10.0, indicating maximum severity. It affects SmarterMail versions Build 9406 and earlier.
According to the Cyber Security Agency, the security defect stems from an arbitrary file upload weakness. In simple terms, the software fails to properly check or restrict the types of files that can be uploaded to the server.
This oversight allows an attacker without needing to log in or have any prior access to upload malicious files to any location on the mail server’s file system.
Once a malicious file is uploaded, the attacker can execute it to achieve Remote Code Execution (RCE).
This is a worst-case scenario for enterprise security. With RCE capabilities, a hacker can run commands with the same privileges as the mail server software. This could lead to:
- Data Theft: Accessing sensitive emails, contact lists, and attachments.
- Server Takeover: Installing ransomware, backdoors, or other malware.
- Network Pivoting: Using the compromised mail server as a launchpad to attack other devices on the internal network.
SmarterTools has released a patch to fix this issue. Users and administrators are strongly advised to update to SmarterMail Build 9413 immediately.
| Feature | Details |
|---|---|
| CVE ID | CVE-2025-52691 |
| Product | SmarterMail |
| Vulnerability Type | Arbitrary File Upload / RCE |
| CVSS v3.1 Score | 10.0 (Critical) |
Given the “unauthenticated” nature of the exploit, any server exposed to the internet is at immediate risk until updated.
The vulnerability was discovered by Mr. Chua Meng Han from the Centre for Strategic Infocomm Technologies (CSIT).
The Cyber Security Agency of Singapore (CSA) has acknowledged SmarterTools Inc. for their swift collaboration in resolving the issue through coordinated disclosure.
Follow us on Google News, LinkedIn, and X to Get Instant Updates and Set GBH as a Preferred Source in Google.