CVE-2025-52691

What is SmarterMail?

SmarterTools SmarterMail is a Windows-based enterprise email server platform used by businesses, web hosting providers, and ISPs to run full-featured mail services (SMTP, IMAP, POP3, webmail, calendaring). Because SmarterMail is the mail gateway for an organization, compromising it grants access to all email traffic, stored messages, user credentials, and contact data. It is often directly internet-facing on standard mail ports. Attackers who compromise a mail server can repurpose it for spam, phishing, lateral movement, or credential harvesting across the entire organization.

Overview

CVE-2025-52691 is a maximum-severity unrestricted file upload vulnerability (CWE-434, CVSS 10.0) in SmarterTools SmarterMail. An unauthenticated remote attacker can upload arbitrary files — including server-interpreted scripts — to any location on the mail server. If a file is placed in a web-accessible or executable directory, it executes with the privileges of the SmarterMail service process, achieving full remote code execution across the security boundary (Scope:Changed). SmarterMail quietly patched the issue in Build 9413 (October 2025); the CVE was not published until December 2025, and CISA added it to the KEV catalog in January 2026 after exploitation was confirmed.

Affected Versions

Technical Details

The vulnerability (CWE-434: Unrestricted Upload of File with Dangerous Type) is in SmarterMail's file upload handling. The application fails to validate or restrict the type, extension, or content of uploaded files, and fails to enforce path restrictions that prevent files from being written outside intended upload directories. An unauthenticated attacker can:

1. Submit a crafted HTTP request containing a malicious file (e.g., an ASPX web shell) as the upload payload.
2. Specify a server path within the SmarterMail web root or other executable location.
3. Once the file is written, request it via HTTP to trigger server-side execution.

Execution occurs with the privileges of the SmarterMail service account — typically running with broad system access on Windows. The CVSS Scope:Changed (S:C) rating reflects that exploitation crosses from the SmarterMail application context to the underlying OS. CVSS 10.0 requires no authentication, no user interaction, and network reachability only.

Discovery

Not publicly attributed to an individual external researcher. The vulnerability appears to have been silently discovered and patched by SmarterTools in Build 9413 (October 9, 2025) before the Singapore CSA issued a public alert in late 2025. Horizon3.ai subsequently published attack research.

Exploitation Context

Confirmed active exploitation per CISA KEV listing (26 January 2026). An Iranian-linked group (Handala) has been associated with exploitation of this vulnerability. Full compromise of a SmarterMail server enables: access to all email traffic and stored messages, harvesting of user credentials from webmail sessions, repurposing the server as a spam/phishing relay, and lateral movement into internal networks via mail-integrated systems.

Remediation

1. Upgrade SmarterMail to Build 9483 or later immediately — Build 9413 patches the specific vulnerability but Build 9483 (December 18, 2025) includes additional hardening; use the higher build as the minimum safe version.
2. Check for existing compromise: search the SmarterMail web root and all SmarterMail directories for unexpected .aspx, .asp, .php, or script files deposited by attackers.
3. Review IIS/SmarterMail logs for anomalous file upload requests, particularly requests that reference paths outside expected upload directories.
4. Restrict SmarterMail web management access — the webmail and admin interfaces should be protected by IP allowlisting where possible; the underlying IIS server should not allow execution of uploaded content from user-accessible directories.
5. Rotate all mail account credentials if compromise is suspected — all passwords and API keys accessible from the server should be considered compromised.