SmarterTools has issued an urgent security advisory addressing a critical vulnerability in SmarterMail that could allow attackers to execute remote code on mail servers.
The flaw, tracked as CVE-2025-52691, poses a severe threat to organizations using the affected versions.
The vulnerability has been assigned a CVSS score of 10.0, the highest possible severity rating. This critical classification underscores the urgent need for immediate remediation by all affected organizations.
| CVE ID | CVSS Score | Affected Versions | Vulnerability Type | Attack Vector |
|---|---|---|---|---|
| CVE-2025-52691 | 10.0 | SmarterMail Build 9406 and earlier | Remote Code Execution (RCE) | Remote, unauthenticated |
CVE-2025-52691 enables unauthenticated attackers to upload arbitrary files to any location on the mail server without requiring credentials.
This capability creates a pathway for remote code execution, giving threat actors complete control over compromised systems.
The unauthenticated nature of the exploit significantly increases the risk, as attackers can leverage the vulnerability without needing to bypass authentication mechanisms.
Successful exploitation could lead to unauthorized access to sensitive email communications, deployment of malware, data exfiltration, and potential lateral movement within corporate networks.
Organizations running vulnerable versions face immediate risk of compromise. The vulnerability impacts SmarterMail versions Build 9406 and earlier.
Organizations should immediately verify their current version and prioritize patching efforts. SmarterTools has released Build 9413 to address this critical security flaw.
Administrators must update all SmarterMail installations immediately to eliminate the vulnerability. Delayed patching leaves mail servers exposed to potential attacks.
Chua Meng Han discovered the vulnerability from the Centre for Strategic Infocomm Technologies (CSIT).
The Cyber Security Agency (CSA) of Singapore coordinated responsible disclosure with SmarterTools Inc., ensuring a fix was available before public release.
Organizations using SmarterMail should treat this vulnerability as a critical priority and implement the security update without delay.
Follow us on Google News, LinkedIn, and X for daily cybersecurity updates. Contact us to feature your stories.
