Critical Remote Code Execution Vulnerability in SmarterMail
A critical remote code execution (RCE) vulnerability, tracked as CVE-2025-52691, has been identified in SmarterMail, affecting Build 9406 and earlier. This flaw allows unauthenticated attackers to upload arbitrary files to any location on the mail server, enabling them to execute remote code and potentially gain full control over compromised systems. The vulnerability has been assigned a CVSS score of 10.0, indicating maximum severity, and poses a significant risk of unauthorized access, data exfiltration, malware deployment, and lateral movement within affected networks. SmarterTools has released Build 9413 to address this issue, and immediate patching is strongly advised to mitigate the threat.
The vulnerability was discovered by Chua Meng Han from the Centre for Strategic Infocomm Technologies (CSIT), with responsible disclosure coordinated by the Cyber Security Agency (CSA) of Singapore. Security advisories from both SmarterTools and the Canadian Centre for Cyber Security urge all users and administrators to verify their SmarterMail version and apply the update to Build 9413 or later without delay. Failure to patch leaves organizations exposed to active exploitation and potential compromise of sensitive email communications and infrastructure.
Get ahead of threats like this
Mallory correlates global threat intelligence with your attack surface — know if you’re exposed before adversaries strike.
How this story unfolded
5 events from the most recent confirmed update back to the earliest known activity.
Singapore CSA issues high-priority alert on SmarterMail RCE flaw
The Cyber Security Agency of Singapore publicly warned about CVE-2025-52691, describing it as a critical unauthenticated remote code execution vulnerability with a CVSS score of 10.0. CSA urged organizations to update immediately and noted that no active exploitation had been confirmed at the time of disclosure.
Canada's Cyber Centre publishes advisory urging immediate updates
The Canadian Centre for Cyber Security published advisory AV25-866 warning that the SmarterMail vulnerability could compromise affected systems and recommending immediate upgrades to Build 9413 or later. The advisory reinforced the urgency of patching for users running Build 9406 and earlier.
SmarterMail Build 9483 becomes latest available version
By 2025-12-18, Build 9483 was identified as the latest SmarterMail release following the earlier security fix in Build 9413. References note it as a current version organizations could use when upgrading from vulnerable builds.
SmarterTools releases Build 9413 to fix CVE-2025-52691
On 2025-10-09, SmarterTools released SmarterMail Build 9413 to remediate the critical vulnerability affecting Build 9406 and earlier. The update addressed a maximum-severity issue that could allow full compromise of vulnerable mail servers.
Researcher Chua Meng Han discovers and responsibly reports SmarterMail flaw
Chua Meng Han of CSIT identified the critical SmarterMail vulnerability later assigned CVE-2025-52691 and reported it through a coordinated disclosure process involving the Cyber Security Agency of Singapore and SmarterTools. The flaw affects SmarterMail Build 9406 and earlier and enables unauthenticated arbitrary file upload leading to remote code execution.
Related entities
Vulnerabilities, threat actors, malware, products, organizations, and breaches Mallory has linked to this story.
Sources
5 references tracked. Mallory keeps watching after this page renders.
CVE-2025-52691: Critical Unauthenticated RCE in SmarterMail
thecyberthrone.in
Open sourceSingapore CSA Warns of Critical SmarterMail Flaw Enabling Unauthenticated Remote Code Execution
thecyberexpress.com
Open sourceSingapore CSA warns of maximun severity SmarterMail RCE flaw
securityaffairs.com
Open sourceCritical Vulnerability in SmarterMail Let Attackers Execute Remote Code
cybersecuritynews.com
Open sourceSmarterTools security advisory (AV25-866)
cyber.gc.ca
Open sourceSee the full picture, correlated to your attack surface.
Map indicators from this story to your assets and identify affected systems in minutes.
Every observed campaign, victim, and pivot linked to actors named in this story.
Malware, exploits, and IOCs connected to the activity described here.
YARA, Sigma, and Snort rules deployed to your SIEM as soon as they’re published.
Get matching new stories delivered to your team as they break — not the next morning.
Ask questions about this story and take action on the answers.
Related stories
Other stories Mallory is tracking that overlap on entities, sources, or topic labels.
Critical SmarterMail Vulnerability Allowing Unauthenticated Arbitrary File Upload (CVE-2025-52691)
A critical vulnerability identified as CVE-2025-52691 has been discovered in SmarterMail, allowing unauthenticated attackers to upload arbitrary files to any location on the mail server. This flaw, rated with a CVSS score of 10, enables remote code execution, potentially giving attackers full control over affected servers. The vulnerability can be exploited without authentication, significantly increasing the risk of compromise for organizations running vulnerable versions of SmarterMail. Security advisories emphasize the severity of this issue, warning that successful exploitation could lead to the deployment of web shells or other malicious payloads, facilitating further attacks or persistent access. Organizations using SmarterMail are urged to apply available patches immediately and review server logs for signs of unauthorized file uploads or suspicious activity.
Mar 21, 2026
SmarterMail Flaws Expose Email Servers to Authentication Bypass and RCE
Multiple severe vulnerabilities in **SmarterMail** exposed internet-facing mail servers to compromise, including `CVE-2025-52691`, an unauthenticated arbitrary file upload flaw that can lead to immediate remote code execution, and `CVE-2026-23760`, an authentication bypass tied to the password reset API. Public reporting said `CVE-2025-52691` affected **Build 9406 and earlier**, carried a **CVSS 10.0** rating, and allowed attackers with network access to place files in arbitrary server locations and execute code with the privileges of the SmarterMail service. Advisories from Censys highlighted both issues, while a public GitHub proof-of-concept for `CVE-2026-23760` increased the risk of opportunistic exploitation. SmarterTools reportedly fixed the file upload vulnerability in **Build 9413**, with later builds available afterward, and security reporting warned that successful compromise of a mail gateway could expose customer email, credentials, and connected backend systems. The flaws were described as especially dangerous for hosting providers and organizations running exposed SmarterMail instances because they enable unauthenticated access paths that can quickly escalate to full server compromise.
May 25, 2026
SmarterMail Unauthenticated File Upload RCE (CVE-2025-52691) Exposes Thousands of Internet-Facing Servers
A critical SmarterTools *SmarterMail* vulnerability, **CVE-2025-52691**, enables **remote code execution (RCE)** via an **unauthenticated arbitrary file upload** condition (CWE-434). The issue affects SmarterMail **Build 9406 and earlier** and is fixed in **Build 9413 and later**; the NVD lists a **CVSS v3.1 score of 10.0** (`CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H`). Successful exploitation can allow full server compromise, including webshell deployment, data theft, and lateral movement under the service’s privileges. Internet-wide scanning reported **8,001 likely vulnerable IPs** out of **18,783** exposed SmarterMail instances (about **42.6%** failing checks), with the largest concentration in the **United States (~5,000)** followed by the **UK** and **Malaysia**. **Public proof-of-concept exploit code** is available, increasing the likelihood of opportunistic exploitation against unpatched, internet-facing deployments; multiple national agencies reportedly issued advisories following disclosure in late December 2025.
Mar 21, 2026