- SmarterMail patched CVE-2025-52691, a maximum severity RCE flaw that allows unauthenticated arbitrary file uploads
- The exploit could allow attackers to deploy web shells or malware, steal data, and delve into networks.
- No abuse has been confirmed in the wild yet, but unpatched servers remain prime targets once details of the exploit circulate.
Enterprise-grade email server software SmarterMail has just patched a maximum severity vulnerability that allowed threat actors to engage in remote code execution (RCE) attacks.
In a brief security advisory posted on the Singapore Cyber Security Agency (CSA) website, it was said that SmarterTools (the company behind SmarterMail) released a patch for CVE-2025-52691.
The National Vulnerability Database (NVD) does not describe the bug in detail, but says that a successful exploit “could allow an unauthenticated attacker to upload arbitrary files to any location on the mail server, which could allow remote code execution.”
A patch brings the tool to build 9413 and administrators are recommended to update as soon as possible.
Take control of servers
In theory, this means that an attacker without credentials or user interaction can send a specially crafted request to the server, which it then accepts and stores in its file system. Since the upload is not properly validated, the attacker can place files in directories where the server will execute or upload them.
This means that attackers could upload a web shell, malware, or a malicious script to take full control of the mail server. They can steal sensitive data, maintain persistent access, and even use the compromised server as an attack platform to delve deeper into the network.
Additionally, they can use compromised servers to carry out phishing and spam campaigns, or simply disrupt the availability of the service.
So far, there is no evidence that this is actually happening. There are no reports of abuse in the wild, and the US Cybersecurity and Infrastructure Security Agency (CISA) has not yet added it to its catalog of Known Exploited Vulnerabilities (KEV).
However, just because a patch is released doesn’t mean attacks won’t happen. Many cybercriminals use patches as notifications of existing vulnerabilities and then attack organizations that do not apply them on time (or at all).
The best antivirus for all budgets
Follow TechRadar on Google News and add us as a preferred source to receive news, reviews and opinions from our experts in your feeds. Be sure to click the Follow button!
And of course you can also follow TechRadar on TikTok for news, reviews, unboxings in video form and receive regular updates from us on WhatsApp also.
