SmarterMail servers running builds prior to 9413 expose organizations to unauthenticated arbitrary file upload leading to remote code execution. Attackers can drop web shells anywhere on the server, turning mail infrastructure into command-and-control nodes.
Vulnerability Breakdown
CVE-2025-52691 stems from a .NET file upload handler lacking authorization and validation, allowing POST requests to place files in arbitrary paths like /App_Data/ or web roots. Once uploaded, ASPX shells or binaries execute under the SmarterMail service account, enabling data exfiltration, lateral movement, or crypto-mining. The endpoint processes multipart/form-data without checking ownership, extensions, or authentication.
Scope and Impact
- Affected versions: SmarterMail Build 9406 and earlier; fixed in Build 9413 (Oct 9, 2025), latest 9483 (Dec 18, 2025).
- Attack surface: Thousands of internet-facing SmarterMail instances; no auth lowers barrier to mass scanning/exploitation. [2][9][6][10] No confirmed in-the-wild exploits yet, but EPSS score indicates rising probability.
Detection and Response
Hunt for indicators including anomalous file uploads in IIS/SmarterMail logs, new .aspx/.exe in /App_Data/ or web dirs, and outbound C2 from mail servers.
- Query IIS logs:
SELECT * FROM Log WHERE cs-uri-stem LIKE '%upload%' OR sc-status=200 AND cs-uri-stem LIKE '%.aspx' - File integrity: Inventory paths outside expected uploads for timestamps post-Dec 2025.
Remediation Roadmap
Upgrade to Build 9413+ immediately – vendor added auth checks, extension whitelisting, and path restrictions.
Interim hardening:
- IIS Request Filtering: Block
/App_Data/*.aspx, deny verbs except GET/HEAD on upload endpoints. - WAF rules: Reject oversized multipart POSTs or suspicious filenames to upload paths.
- Network: Restrict SmarterMail web ports (default 8090/443) to trusted IPs until patched.
Vendor and Disclosure Timeline
- Reserved: June 19, 2025
- Published: Dec 28-29, 2025 by Singapore CSA; credited to CSIT researcher Chua Meng Han.
- Patch: SmarterTools Build 9413 (Oct 2025), coordinated disclosure.
