SmarterTools’ SmarterMail system has been found to have a critical pre-authentication remote code execution vulnerability (CVE-2025-52691).
The flaw’s severe nature and possible impact on impacted systems were indicated by its maximum CVSS score of 10.0.
SmarterMail is “a secure, all-in-one business email and collaboration server for Windows and Linux – an affordable Microsoft Exchange alternative,” according to SmarterTools. Businesses looking for email server solutions frequently use the platform.
The vulnerability, which takes advantage of an unauthenticated file-upload endpoint in the program, was found by security experts from Singapore’s Centre for Strategic Infocomm Technologies (CSIT).
The FileUploadController on the /api/upload route is the source of the vulnerability, an uploading technique that evade authentication.
The vulnerability takes use of a path traversal flaw in the validation of the GUID input.
Attackers can circumvent the limited upload directory and write arbitrary files to any location on the system, even web-accessible folders, by manipulating the contextData argument to include a malicious GUID value.
by creating a multipart/form-data HTTP request with path traversal sequences that is specifically prepared.
In order to accomplish full remote code execution without authentication, threat actors can upload malicious ASPX webshells to the server’s root directory.
Build 9413, which was issued on October 10, 2025, silently corrected the vulnerability. However, it wasn’t until late December 2025 that Singapore’s Cyber Security Agency (CSA) released the official notice.
Customers were unaware of the significant vulnerability for around 2.5 months after the remedy was implemented, raising questions about silent patching processes over this three-month period.
To assist enterprises in determining their exposure and creating detection rulesets, WatchTowr Labs has made a Detection Artifact Generator available on GitHub.
The program has been tested on Windows installations running both older and more recent releases.
To prevent any exploitation of this serious vulnerability, organizations using SmarterMail should update to build 9413 or later right once.
