CVE-2025-52691
published 2025-12-29CVE-2025-52691: Successful exploitation of the vulnerability could allow an unauthenticated attacker to upload arbitrary files to any location on the mail server, potentially…
PriorityP1100critical10CVSS 3.1
AVNACLPRNUINSCCHIHAH
KEVITWEXPLOITRansomwareInitial access
CISA Known Exploited Vulnerabilitydue 2026-02-16
Exploited in the wild
EPSS
85.46%
99.7th percentile
Successful exploitation of the vulnerability could allow an unauthenticated attacker to upload arbitrary files to any location on the mail server, potentially enabling remote code execution.
Affected
2 ranges
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| smartertools | smartermail | < 100.0.9413 | 100.0.9413 |
| smartertools | smartermail | — | — |
Detection & IOCsextracted from sources · hover to see the quote
- →Detect mass automated exploitation by monitoring for rapid sequential HTTP POST requests to the SmarterMail API endpoints: force-reset-password, authenticate-user, event-hook, domain-put, event-hook-delete — made in quick succession from the same source IP. ↗
- →Alert on HTTP POST requests to /api/v1/auth/force-reset-password from unauthenticated/anonymous sources, especially targeting system administrator accounts. ↗
- →Hunt for the file result.txt written under the SmarterMail wwwroot directory, which is used to store reconnaissance command output by the threat actor. ↗
- →Flag HTTP requests bearing the User-Agent 'python-requests/2.32.4' targeting SmarterMail API endpoints, as this was the user-agent observed conducting the attacks. ↗
- →Check Point IPS signature 'SmarterMail Arbitrary File Upload (CVE-2025-52691)' can be used for network-level detection of exploitation attempts. ↗
- →CVE-2025-52691 exploitation involves uploading arbitrary files to web-accessible paths on the mail server; hunt for unexpected files (e.g., webshells) written under the SmarterMail wwwroot directory. ↗
- ·The IOC IP addresses and user-agent were observed in exploitation of CVE-2026-23760 (auth bypass/account takeover), not CVE-2025-52691 (arbitrary file upload). Both CVEs affect SmarterMail and are being exploited concurrently, but the listed IPs/UA are specifically attributed to CVE-2026-23760 attacks. Defenders should treat them as relevant to the broader SmarterMail attack campaign. ↗
CVSS provenance
nvdv3.110.0CRITICALCVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H
vulncheck10.0CRITICAL
cisa10.0CRITICAL
CVEs like this are exactly what “Exploited This Week” covers.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
VulDB
SmarterTools SmarterMail unrestricted upload (EUVD-2025-205544 / Nessus ID 297222)
vuldb·2026-04-21·CVSS 10.0
CVE-2025-52691 [CRITICAL] SmarterTools SmarterMail unrestricted upload (EUVD-2025-205544 / Nessus ID 297222)
A vulnerability was found in SmarterTools SmarterMail. It has been classified as critical. The impacted element is an unknown function. The manipulation leads to unrestricted upload.
This vulnerability is traded as CVE-2025-52691. It is possible to initiate the attack remotely. Furthermore, there is an exploit available.
GHSA
GHSA-c9vj-8fwr-4gvq: Successful exploitation of the vulnerability could allow an unauthenticated attacker to upload arbitrary files to any location on the mail server, pot
ghsa_unreviewed·2025-12-29
CVE-2025-52691 [CRITICAL] CWE-434 GHSA-c9vj-8fwr-4gvq: Successful exploitation of the vulnerability could allow an unauthenticated attacker to upload arbitrary files to any location on the mail server, pot
Successful exploitation of the vulnerability could allow an unauthenticated attacker to upload arbitrary files to any location on the mail server, potentially enabling remote code execution.
VulnCheck
SmarterTools SmarterMail Unrestricted Upload of File with Dangerous Type Vulnerability
vulncheck·2025·CVSS 10.0
CVE-2025-52691 [CRITICAL] CWE-434 SmarterTools SmarterMail Unrestricted Upload of File with Dangerous Type Vulnerability
SmarterTools SmarterMail Unrestricted Upload of File with Dangerous Type Vulnerability
SmarterTools SmarterMail contains an unrestricted upload of file with dangerous type vulnerability that could allow an unauthenticated attacker to upload arbitrary files to any location on the mail server, potentially enabling remote code execution.
Affected: SmarterTools SmarterMail
Required Action: Apply mitigations per vendor instructions, follow applicable BOD 22-01 guidance for cloud services, or discontinue use of the product if mitigations are unavailable.
Exploitation References: https://labs.watchtowr.com/attackers-with-decompilers-strike-again-smartertools-smartermail-wt-2026-0001-auth-bypass/; https://www.huntress.com/blog/smartermail-account-takeover-leading-to-rce; https://www.cisa.gov/s
CISA
SmarterTools SmarterMail Unrestricted Upload of File with Dangerous Type Vulnerability
cisa·2026-01-26·CVSS 10.0
CVE-2025-52691 [CRITICAL] CWE-434 SmarterTools SmarterMail Unrestricted Upload of File with Dangerous Type Vulnerability
Vulnerability: SmarterTools SmarterMail Unrestricted Upload of File with Dangerous Type Vulnerability
Affected: SmarterTools SmarterMail
SmarterTools SmarterMail contains an unrestricted upload of file with dangerous type vulnerability that could allow an unauthenticated attacker to upload arbitrary files to any location on the mail server, potentially enabling remote code execution.
Required Action: Apply mitigations per vendor instructions, follow applicable BOD 22-01 guidance for cloud services, or discontinue use of the product if mitigations are unavailable.
Notes: https://www.smartertools.com/smartermail/release-notes/current ; https://www.csa.gov.sg/alerts-and-advisories/alerts/al-2025-124/ ; https://nvd.nist.gov/vuln/detail/CVE-2025-52691
Remediation Due Date: 2026-02-16
Suricata
ET WEB_SPECIFIC_APPS SmarterTools SmarterMail Arbitrary File Upload Attempt (CVE-2025-52691)
suricata·2026-01-13·CVSS 10.0
CVE-2025-52691 [CRITICAL] ET WEB_SPECIFIC_APPS SmarterTools SmarterMail Arbitrary File Upload Attempt (CVE-2025-52691)
ET WEB_SPECIFIC_APPS SmarterTools SmarterMail Arbitrary File Upload Attempt (CVE-2025-52691)
Rule: alert http any any -> $HOME_NET any (msg:"ET WEB_SPECIFIC_APPS SmarterTools SmarterMail Arbitrary File Upload Attempt (CVE-2025-52691)"; flow:established,to_server; http.method; content:"POST"; http.uri; content:"/api/upload"; http.content_type; content:"multipart/form-data|3b|"; startswith; http.request_body; content:"|7b 22|guid|22 3a 22|dag"; fast_pattern; pcre:"/^[^\x26]*?(?:(?:\x2e|%2[Ee]){1,2}(?:\x2f|\x5c|%5[Cc]|%2[Ff]){1,}){2,}/R"; reference:url,labs.watchtowr.com/do-smart-people-ever-say-theyre-smart-smartertools-smartermail-pre-auth-rce-cve-2025-52691/; reference:url,github.com/projectdiscovery/nuclei-templates/blob/main/http/cves/2025/CVE-2025-52691.yaml; reference:cve,2025-52691;
Metasploit
SmarterTools SmarterMail GUID File Upload Vulnerability
metasploit
SmarterTools SmarterMail GUID File Upload Vulnerability
SmarterTools SmarterMail GUID File Upload Vulnerability
This module exploits a pre-auth remote code execution vulnerability in SmarterTools SmarterMail before version 100.0.9413. The endpoint /api/upload fails to sanitize the contextData POST parameter which can contain JSON data with a "guid" key that allows directory traversal. By leveraging this vulnerability, an unauthenticated attacker can upload a malicious ASPX web shell to the server's web root directory, leading to remote code execution.
Nuclei
SmarterMail - Unrestricted File Upload
nuclei·CVSS 10.0
CVE-2025-52691 [CRITICAL] SmarterMail - Unrestricted File Upload
SmarterMail - Unrestricted File Upload
Mail server contains an unrestricted file upload vulnerability allowing unauthenticated attackers to upload arbitrary files to any location, potentially enabling remote code execution.
Template:
id: CVE-2025-52691
info:
name: SmarterMail - Unrestricted File Upload
author: DhiyaneshDK,watchTowr
severity: critical
description: |
Mail server contains an unrestricted file upload vulnerability allowing unauthenticated attackers to upload arbitrary files to any location, potentially enabling remote code execution.
impact: |
Unauthenticated attackers can upload arbitrary files, potentially leading to remote code execution and full server compromise.
remediation: |
Update to the latest version of the mail server.
reference:
- https://github.com/watchtowrl
Hackernews
China-Linked Storm-1175 Exploits Zero-Days to Rapidly Deploy Medusa Ransomware
blogs_hackernews·2026-04-07·CVSS 8.8
[HIGH] China-Linked Storm-1175 Exploits Zero-Days to Rapidly Deploy Medusa Ransomware
Home
Threat Intelligence
Vulnerabilities
Cyber Attacks
Webinars
Expert Insights
Awards
Webinars
Awards
Free eBooks
About THN
Jobs
Advertise with us
## China-Linked Storm-1175 Exploits Zero-Days to Rapidly Deploy Medusa Ransomware
A China-based threat actor known for deploying Medusa ransomware has been linked to the weaponization of a combination of zero-day and N-day vulnerabilities to orchestrate "high-velocity" attacks and break into susceptible internet-facing systems.
"The threat actor's high operational tempo and proficiency in identifying exposed perimeter assets have proven successful, with recent intrusions heavily impacting healthcare organizations, as well as those in the education, professional services, and finance sectors in Australia, the United Kingdom, and
Bleepingcomputer
Microsoft links Medusa ransomware affiliate to zero-day attacks
blogs_bleepingcomputer·2026-04-06·CVSS 8.8
[HIGH] Microsoft links Medusa ransomware affiliate to zero-day attacks
## Microsoft links Medusa ransomware affiliate to zero-day attacks
## Sergiu Gatlan
"The threat actor's high operational tempo and proficiency in identifying exposed perimeter assets have proven successful, with recent intrusions heavily impacting healthcare organizations, as well as those in the education, professional services, and finance sectors in Australia, United Kingdom, and United States."
Microsoft has also observed Storm-1175 operators chaining multiple exploits to gain persistence on compromised systems by creating new user accounts, deploying remote monitoring and management software, stealing credentials, and disabling security software before dropping ransomware payloads.
In October, Microsoft reported that Storm-1175 had been exploiting a maximum-severity GoAnywhere MFT
Rapid7
Rapid7 Detection Coverage for Iran-Linked Cyber Activity
blogs_rapid7·2026-03-11
Rapid7 Detection Coverage for Iran-Linked Cyber Activity
The tension arising out of the conflict in Iran is beginning to show signs of expanding beyond a strictly regional crisis. Following our recent published advisories, this communication is intended to outline and summarize the detection and enrichment coverage available to Rapid7 customers, broadly assess the macro cyber threat landscape, and demonstrate the specific actions undertaken within the Rapid7 portfolio to assure our customers of the protection they receive and can expect moving forward. For a research-driven companion piece from Rapid7 Labs, dive into Iran’s Cyber Playbook in the Escalating Regional Conflict.
## Tracking the campaigns associated with the current conflict
There exists a number of threat campaigns (both directly and indirectly) associated with groups associated w
Rapid7
Rapid7 Detection Coverage for Iran-Linked Cyber Activity
blogs_rapid7·2026-03-11
Rapid7 Detection Coverage for Iran-Linked Cyber Activity
The tension arising out of the conflict in Iran is beginning to show signs of expanding beyond a strictly regional crisis. Following our recent published advisories, this communication is intended to outline and summarize the detection and enrichment coverage available to Rapid7 customers, broadly assess the macro cyber threat landscape, and demonstrate the specific actions undertaken within the Rapid7 portfolio to assure our customers of the protection they receive and can expect moving forward. For a research-driven companion piece from Rapid7 Labs, dive into Iran’s Cyber Playbook in the Escalating Regional Conflict .
## Tracking the campaigns associated with the current conflict
There exists a number of threat campaigns (both directly and indirectly) associated with groups associated
Bleepingcomputer
Over 6,000 SmarterMail servers exposed to automated hijacking attacks
blogs_bleepingcomputer·2026-01-27·CVSS 10.0
[CRITICAL] Over 6,000 SmarterMail servers exposed to automated hijacking attacks
## Over 6,000 SmarterMail servers exposed to automated hijacking attacks
## Sergiu Gatlan
Nonprofit security organization Shadowserver has found over 6,000 SmarterMail servers exposed online and likely vulnerable to attacks exploiting a critical authentication bypass vulnerability.
Cybersecurity company watchTowr reported the security flaw to developer SmarterTools on January 8 , which released a fix on January 15 without assigning an identifier.
The vulnerability was later assigned CVE-2026-23760 and rated critical severity, as it allows unauthenticated attackers to hijack admin accounts and gain remote code execution on the host, enabling them to take control of vulnerable servers.
"SmarterTools SmarterMail versions prior to build 9511 contain an authentication bypass vulnerability
Huntress
Huntress Catches SmarterMail Account Takeover Leading to RCE
blogs_huntress·2026-01-22·CVSS 10.0
CVE-2026-23760 [CRITICAL] Huntress Catches SmarterMail Account Takeover Leading to RCE
## Background / Summary
The Huntress DE&TH (Detection Engineering and Threat Hunting) Team has observed in-the-wild exploitation of a privileged account takeover vulnerability ( CVE-2026-23760 ) in SmarterTool’s SmarterMail application that has resulted in successful remote code execution. Our testing has indicated that versions of SmarterMail prior to Build 9511 are vulnerable. Users of SmarterMail are urged to upgrade to the latest version, Build 9511 , released on January 15, 2026.
Note that this is separate from the ongoing mass exploitation of CVE-2025-52691, an arbitrary file upload vulnerability in SmarterMail that also leads to remote code execution. At the time of writing Huntress contacted SmarterTools and held off publishing whilst CVE-2026-23760 was published as it was alread
Bleepingcomputer
SmarterMail auth bypass flaw now exploited to hijack admin accounts
blogs_bleepingcomputer·2026-01-22
SmarterMail auth bypass flaw now exploited to hijack admin accounts
## SmarterMail auth bypass flaw now exploited to hijack admin accounts
## Bill Toulas
Hackers began exploiting an authentication bypass vulnerability in SmarterTools' SmarterMail email server and collaboration tool that allows resetting admin passwords.
An authentication bypass vulnerability in SmarterTools SmarterMail, which allows unauthenticated attackers to reset the system administrator password and obtain full privileges, is now actively exploited in the wild.
The issue resides in the force-reset-password API endpoint, which is intentionally exposed without authentication.
Researchers at cybersecurity company watchTowr reported the issue on January 8, and SmarterMail released a fix on January 15 without an identifier being assigned.
After the issue was addressed, the researcher
Checkpoint
12th January – Threat Intelligence Report
blogs_checkpoint·2026-01-12·CVSS 9.8
CVE-2025-61882 [CRITICAL] 12th January – Threat Intelligence Report
Latest Publications
CPR Podcast Channel
AI Research
Web 3.0 Security
Intelligence Reports
ThreatCloud AI
Threat Intelligence & Research
Zero Day Protection
Sandblast File Analysis
About Us
SUBSCRIBE
2026
2025
2024
2023
2022
2021
2020
2019
2018
2017
2016
## 12th January – Threat Intelligence Report
For the latest discoveries in cyber research for the week of 12th January, please download our Threat Intelligence Bulletin .
TOP ATTACKS AND BREACHES
Manage My Health, New Zealand’s largest patient portal, has acknowledged a cyberattack occurred on December 2025, that potentially exposed data of nearly 110K users. An alleged attacker, dubbed Kazu, claimed responsibility and demanded a $60,000 ransom.
France’s Office for Immigration and Integration has confirmed data t
Wiz
CVE-2026-24423 Impact, Exploitability, and Mitigation Steps | Wiz
blogs_wiz·CVSS 10.0
CVE-2026-24423 [CRITICAL] CVE-2026-24423 Impact, Exploitability, and Mitigation Steps | Wiz
## CVE-2026-24423 :
SmarterTools SmarterMail vulnerability analysis and mitigation
SmarterTools SmarterMail versions prior to build 9511 contain an unauthenticated remote code execution vulnerability in the ConnectToHub API method. The attacker could point the SmarterMail to the malicious HTTP server, which serves the malicious OS command. This command will be executed by the vulnerable application.
Source : NVD
## 9.3
Score
Published January 23, 2026
Severity CRITICAL
CNA Score 9.3
Affected Technologies
SmarterTools SmarterMail
Has Public Exploit Yes
Has CISA KEV Exploit Yes
CISA KEV Release Date N/A
CISA KEV Due Date N/A
Exploitation Probability Percentile (EPSS) 98.5
Exploitation Probability (EPSS) 66.4
Affected packages and libraries
cpe:2.3:a:smartertools:smarterma
Wiz
CVE-2025-52691 Impact, Exploitability, and Mitigation Steps | Wiz
blogs_wiz·CVSS 10.0
CVE-2025-52691 [CRITICAL] CVE-2025-52691 Impact, Exploitability, and Mitigation Steps | Wiz
## CVE-2025-52691 :
SmarterTools SmarterMail vulnerability analysis and mitigation
Successful exploitation of the vulnerability could allow an unauthenticated attacker to upload arbitrary files to any location on the mail server, potentially enabling remote code execution.
Source : NVD
## 10
Score
Published December 29, 2025
Severity CRITICAL
CNA Score 10.0
Affected Technologies
SmarterTools SmarterMail
Has Public Exploit Yes
Has CISA KEV Exploit Yes
CISA KEV Release Date N/A
CISA KEV Due Date N/A
Exploitation Probability Percentile (EPSS) 99.4
Exploitation Probability (EPSS) 87.3
Affected packages and libraries
cpe:2.3:a:smartertools:smartermail
Sources
Windows Severity CRITICAL Has Fix Added at: Jan 02, 2026
Windows Severity CRITICAL Has Fix Added at: Jan 04, 2026
Huntress
Huntress Catches SmarterMail Account Takeover Leading to RCE | Huntress
blogs_huntress·CVSS 10.0
CVE-2026-23760 [CRITICAL] Huntress Catches SmarterMail Account Takeover Leading to RCE | Huntress
## Background / Summary
The Huntress DE&TH (Detection Engineering and Threat Hunting) Team has observed in-the-wild exploitation of a privileged account takeover vulnerability (CVE-2026-23760) in SmarterTool’s SmarterMail application that has resulted in successful remote code execution. Our testing has indicated that versions of SmarterMail prior to Build 9511 are vulnerable. Users of SmarterMail are urged to upgrade to the latest version, Build 9511, released on January 15, 2026.
Note that this is separate from the ongoing mass exploitation of CVE-2025-52691, an arbitrary file upload vulnerability in SmarterMail that also leads to remote code execution. At the time of writing Huntress contacted SmarterTools and held off publishing whilst CVE-2026-23760 was published as it was already i
Wiz
CVE-2026-26930 Impact, Exploitability, and Mitigation Steps | Wiz
blogs_wiz·CVSS 10.0
CVE-2026-26930 [CRITICAL] CVE-2026-26930 Impact, Exploitability, and Mitigation Steps | Wiz
## CVE-2026-26930 :
SmarterTools SmarterMail vulnerability analysis and mitigation
SmarterTools SmarterMail before 9526 allows XSS via MAPI requests.
Source : NVD
## 7.2
Score
Published February 16, 2026
Severity HIGH
CNA Score 7.2
Affected Technologies
SmarterTools SmarterMail
Has Public Exploit Yes
Has CISA KEV Exploit No
CISA KEV Release Date N/A
CISA KEV Due Date N/A
Exploitation Probability Percentile (EPSS) 2.3
Exploitation Probability (EPSS) N/A
Affected packages and libraries
cpe:2.3:a:smartertools:smartermail
Sources
NVD
Windows Severity HIGH Has Fix Added at: Feb 16, 2026
## Get a CVE risk assessment
Get a prioritized view of CVEs in your cloud—so you can focus on what's exploitable, not just what's listed.
## Related SmarterTools SmarterMail vulnerab
Wiz
CVE-2026-25067 Impact, Exploitability, and Mitigation Steps | Wiz
blogs_wiz·CVSS 10.0
CVE-2026-25067 [CRITICAL] CVE-2026-25067 Impact, Exploitability, and Mitigation Steps | Wiz
## CVE-2026-25067 :
SmarterTools SmarterMail vulnerability analysis and mitigation
SmarterTools SmarterMail versions prior to build 9518 contain an unauthenticated path coercion vulnerability in the background-of-the-day preview endpoint. The application base64-decodes attacker-supplied input and uses it as a filesystem path without validation. On Windows systems, this allows UNC paths to be resolved, causing the SmarterMail service to initiate outbound SMB authentication attempts to attacker-controlled hosts. This can be abused for credential coercion, NTLM relay attacks, and unauthorized network authentication.
Source : NVD
## 6.9
Score
Published January 29, 2026
Severity MEDIUM
CNA Score 6.9
Affected Technologies
SmarterTools SmarterMail
Has Public Exploit No
Has CISA KEV
Wiz
CVE-2026-23760 Impact, Exploitability, and Mitigation Steps | Wiz
blogs_wiz·CVSS 10.0
CVE-2026-23760 [CRITICAL] CVE-2026-23760 Impact, Exploitability, and Mitigation Steps | Wiz
## CVE-2026-23760 :
SmarterTools SmarterMail vulnerability analysis and mitigation
SmarterTools SmarterMail versions prior to build 9511 contain an authentication bypass vulnerability in the password reset API. The force-reset-password endpoint permits anonymous requests and fails to verify the existing password or a reset token when resetting system administrator accounts. An unauthenticated attacker can supply a target administrator username and a new password to reset the account, resulting in full administrative compromise of the SmarterMail instance. NOTE: SmarterMail system administrator privileges grant the ability to execute operating system commands via built-in management functionality, effectively providing administrative (SYSTEM or root) access on the underlying host.
Source
Recorded Future
January 2026 CVE Landscape: 23 Critical Vulnerabilities Mark 5% Increase, APT28 Exploits Microsoft Office Zero-Day
blogs_recorded_future·CVSS 4.9
[MEDIUM] January 2026 CVE Landscape: 23 Critical Vulnerabilities Mark 5% Increase, APT28 Exploits Microsoft Office Zero-Day
# January 2026 CVE Landscape: 23 Critical Vulnerabilities Mark 5% Increase, APT28 Exploits Microsoft Office Zero-Day
January 2026 saw a modest 5% increase in high-impact vulnerabilities, with Recorded Future's Insikt Group® identifying 23 vulnerabilities requiring immediate remediation, up from 22 in December 2025. Noteworthy trends last month included Russian state-sponsored exploitation of a Microsoft Office zero-day and critical authentication bypass flaws affecting enterprise infrastructure.
What security teams need to know:
- APT28's Operation Neusploit: Russian state-sponsored actors exploited CVE-2026-21509 (Microsoft Office) via weaponized RTF files, delivering MiniDoor, PixyNetLoader, and Covenant Grunt implants
- Microsoft and SmarterTools lead concerns: These vendors accounte
2025-12-29
Published
2026-01-26
Added to CISA KEV
Exploited in the wild