- SmarterMail has fixed CVE-2025-52691, a maximum severity RCE vulnerability that allows arbitrary file uploads without authentication.
- Exploitation could allow attackers to deploy web shells or malware, steal data, and penetrate deeper into networks.
- There are no confirmed cases of abuse yet, but unpatched servers remain prime targets as details of the exploit spread.
Business class e-mail SmarterMail server software has just patched a vulnerability of maximum severity that could allow attackers to engage in remote code execution (RCE) attacks.
A brief security alert posted on the Cyber ​​Security Agency of Singapore (CSA) website stated that SmarterTools (the company behind SmarterMail) has released a patch for CVE-2025-52691.
The National Vulnerability Database (NVD) does not describe the bug in detail, but states that successful exploitation “could allow an unauthenticated attacker to upload arbitrary files anywhere on the mail server, potentially allowing remote code execution.”
The patch brings the tool to build 9413, and administrators are advised to update as soon as possible.
Server takeover
In theory, this means that an attacker with no credentials and no user interaction could send a specially crafted request to the server, which is then accepted and stored on their file system. Because the download is not properly verified, an attacker can move the files to the directories where the server will run them or download them.
This means that attackers could download a web shell malwareor a malicious script to gain complete control over the mail server. They can steal sensitive data, maintain constant access, and even use a compromised server as an attack platform to penetrate deeper into the network.
In addition, they can use compromised servers to conduct phishing and spam campaigns or simply disrupt the availability of services.
There is no evidence yet that this is actually happening. There are no reports of actual abuse, and the US Cybersecurity and Infrastructure Security Agency (CISA) has not yet added it to its catalog of known exploitable vulnerabilities (KEVs).
However, just because a patch has been released does not mean that attacks will not occur. Many cybercriminals use patches as notifications of existing vulnerabilities and then target organizations that do not install patches on time (or at all).
The best antivirus for any budget
Follow TechRadar on Google News. And add us as your preferred source to get our expert news, reviews and opinions in your feeds. Be sure to click the “Subscribe” button!
And of course you can also Follow TechRadar on TikTok for news, reviews, unboxing videos and get regular updates from us on whatsapp too much.
