cbcvebase.
CVE-2025-52691
published 2025-12-29

CVE-2025-52691: Successful exploitation of the vulnerability could allow an unauthenticated attacker to upload arbitrary files to any location on the mail server, potentially…

PriorityP1100critical10CVSS 3.1
AVNACLPRNUINSCCHIHAH
KEVITWEXPLOITRansomwareInitial access
CISA Known Exploited Vulnerabilitydue 2026-02-16
Exploited in the wild
EPSS
85.46%
99.7th percentile
Successful exploitation of the vulnerability could allow an unauthenticated attacker to upload arbitrary files to any location on the mail server, potentially enabling remote code execution.

Affected

2 ranges
VendorProductVersion rangeFixed in
smartertoolssmartermail< 100.0.9413100.0.9413
smartertoolssmartermail

Detection & IOCsextracted from sources · hover to see the quote

pathC:\Program Files (x86)\SmarterTools\SmarterMail\Service\wwwroot\result.txt
url/api/v1/auth/force-reset-password
url/api/v1/auth/authenticate-user
url/api/v1/settings/sysadmin/event-hook
url/api/v1/settings/sysadmin/domain-put
url/api/v1/settings/sysadmin/domain-delete/google.abc.com/true
url/api/v1/settings/sysadmin/event-hook-delete
  • Detect mass automated exploitation by monitoring for rapid sequential HTTP POST requests to the SmarterMail API endpoints: force-reset-password, authenticate-user, event-hook, domain-put, event-hook-delete — made in quick succession from the same source IP.
  • Alert on HTTP POST requests to /api/v1/auth/force-reset-password from unauthenticated/anonymous sources, especially targeting system administrator accounts.
  • Hunt for the file result.txt written under the SmarterMail wwwroot directory, which is used to store reconnaissance command output by the threat actor.
  • Flag HTTP requests bearing the User-Agent 'python-requests/2.32.4' targeting SmarterMail API endpoints, as this was the user-agent observed conducting the attacks.
  • Check Point IPS signature 'SmarterMail Arbitrary File Upload (CVE-2025-52691)' can be used for network-level detection of exploitation attempts.
  • CVE-2025-52691 exploitation involves uploading arbitrary files to web-accessible paths on the mail server; hunt for unexpected files (e.g., webshells) written under the SmarterMail wwwroot directory.
  • ·The IOC IP addresses and user-agent were observed in exploitation of CVE-2026-23760 (auth bypass/account takeover), not CVE-2025-52691 (arbitrary file upload). Both CVEs affect SmarterMail and are being exploited concurrently, but the listed IPs/UA are specifically attributed to CVE-2026-23760 attacks. Defenders should treat them as relevant to the broader SmarterMail attack campaign.

CVSS provenance

nvdv3.110.0CRITICALCVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H
vulncheck10.0CRITICAL
cisa10.0CRITICAL
CVEs like this are exactly what “Exploited This Week” covers.

Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.