SmarterMail Flaws Expose Email Servers to Authentication Bypass and RCE
Multiple severe vulnerabilities in SmarterMail exposed internet-facing mail servers to compromise, including CVE-2025-52691, an unauthenticated arbitrary file upload flaw that can lead to immediate remote code execution, and CVE-2026-23760, an authentication bypass tied to the password reset API. Public reporting said CVE-2025-52691 affected Build 9406 and earlier, carried a CVSS 10.0 rating, and allowed attackers with network access to place files in arbitrary server locations and execute code with the privileges of the SmarterMail service.
Advisories from Censys highlighted both issues, while a public GitHub proof-of-concept for CVE-2026-23760 increased the risk of opportunistic exploitation. SmarterTools reportedly fixed the file upload vulnerability in Build 9413, with later builds available afterward, and security reporting warned that successful compromise of a mail gateway could expose customer email, credentials, and connected backend systems. The flaws were described as especially dangerous for hosting providers and organizations running exposed SmarterMail instances because they enable unauthenticated access paths that can quickly escalate to full server compromise.
Get ahead of threats like this
Mallory correlates global threat intelligence with your attack surface — know if you’re exposed before adversaries strike.
How this story unfolded
4 events from the most recent confirmed update back to the earliest known activity.
Advisory issued for SmarterMail authentication bypass CVE-2026-23760
A January 27 advisory documented CVE-2026-23760 as a SmarterMail authentication bypass issue. The advisory was later referenced by Censys.
PoC repository published for SmarterMail CVE-2026-23760
A GitHub repository was published for CVE-2026-23760, describing an authentication bypass in SmarterMail via the password reset API. This made public exploit-related material available for the vulnerability.
CVE-2025-52691 advisory highlights critical SmarterMail RCE risk
An advisory dated December 30 described CVE-2025-52691 as a critical unauthenticated arbitrary file upload vulnerability in SmarterMail, noting it was trivial to exploit and had not been publicly reported as actively exploited at that time. The issue was credited to Chua Meng Han of Singapore's CSIT and was also highlighted in a Cyber Security Agency of Singapore alert.
SmarterTools releases SmarterMail Build 9413 to fix CVE-2025-52691
SmarterTools fixed the unauthenticated arbitrary file upload vulnerability CVE-2025-52691 in SmarterMail Build 9413. The flaw affected Build 9406 and earlier and could allow remote code execution.
Sources
4 references tracked. Mallory keeps watching after this page renders.
December 30 Advisory: SmarterMail Unauthenticated Arbitrary File Upload Vulnerability Allows RCE [CVE-2025-52691] - Censys
censys.com
Open sourceJanuary 27 Advisory: SmarterMail Authentication Bypass [CVE-2026-23760] - Censys
censys.com
Open sourceGitHub - MaxMnMl/smartermail-CVE-2026-23760-poc: CVE-2026-23760 - An authentication bypass via password reset API in SmarterMail. · GitHub
github.com
Open sourceSmarterTools SmarterMail CVE-2025-52691: Unauthenticated Arbitrary File Upload Enables Remote Code Execution on Email Gateways - Cyberwarzone
cyberwarzone.com
Open sourceSee the full picture, correlated to your attack surface.
Map indicators from this story to your assets and identify affected systems in minutes.
Every observed campaign, victim, and pivot linked to actors named in this story.
Malware, exploits, and IOCs connected to the activity described here.
YARA, Sigma, and Snort rules deployed to your SIEM as soon as they’re published.
Get matching new stories delivered to your team as they break — not the next morning.
Ask questions about this story and take action on the answers.
Related stories
Other stories Mallory is tracking that overlap on entities, sources, or topic labels.
SmarterMail Unauthenticated File Upload RCE (CVE-2025-52691) Exposes Thousands of Internet-Facing Servers
A critical SmarterTools *SmarterMail* vulnerability, **CVE-2025-52691**, enables **remote code execution (RCE)** via an **unauthenticated arbitrary file upload** condition (CWE-434). The issue affects SmarterMail **Build 9406 and earlier** and is fixed in **Build 9413 and later**; the NVD lists a **CVSS v3.1 score of 10.0** (`CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H`). Successful exploitation can allow full server compromise, including webshell deployment, data theft, and lateral movement under the service’s privileges. Internet-wide scanning reported **8,001 likely vulnerable IPs** out of **18,783** exposed SmarterMail instances (about **42.6%** failing checks), with the largest concentration in the **United States (~5,000)** followed by the **UK** and **Malaysia**. **Public proof-of-concept exploit code** is available, increasing the likelihood of opportunistic exploitation against unpatched, internet-facing deployments; multiple national agencies reportedly issued advisories following disclosure in late December 2025.
Mar 21, 2026
Critical Remote Code Execution Vulnerability in SmarterMail
A critical remote code execution (RCE) vulnerability, tracked as CVE-2025-52691, has been identified in SmarterMail, affecting Build 9406 and earlier. This flaw allows unauthenticated attackers to upload arbitrary files to any location on the mail server, enabling them to execute remote code and potentially gain full control over compromised systems. The vulnerability has been assigned a CVSS score of 10.0, indicating maximum severity, and poses a significant risk of unauthorized access, data exfiltration, malware deployment, and lateral movement within affected networks. SmarterTools has released Build 9413 to address this issue, and immediate patching is strongly advised to mitigate the threat. The vulnerability was discovered by Chua Meng Han from the Centre for Strategic Infocomm Technologies (CSIT), with responsible disclosure coordinated by the Cyber Security Agency (CSA) of Singapore. Security advisories from both SmarterTools and the Canadian Centre for Cyber Security urge all users and administrators to verify their SmarterMail version and apply the update to Build 9413 or later without delay. Failure to patch leaves organizations exposed to active exploitation and potential compromise of sensitive email communications and infrastructure.
Mar 21, 2026
Active Exploitation of SmarterMail Authentication Bypass Leading to Admin Takeover and RCE
Internet-wide scanning identified **6,000+ SmarterTools SmarterMail** servers exposed online and likely vulnerable to **CVE-2026-23760**, a **critical authentication bypass** in the password reset API that enables **unauthenticated admin account takeover** and can lead to **remote code execution**. The flaw affects SmarterMail versions prior to **build 9511** and abuses the `/api/v1/auth/force-reset-password` (aka `force-reset-password`) endpoint, which allows anonymous password resets for administrator accounts without validating the existing password or requiring a reset token. SmarterTools issued a fix on **January 15, 2026** (later assigned CVE-2026-23760), and Shadowserver reported large-scale exposure with thousands of instances flagged as “likely vulnerable,” including heavy concentration in North America and additional exposure in Asia. Multiple sources reported **active exploitation** shortly after patch availability, with observed attacker behavior consistent with automated hijacking: resetting admin credentials, obtaining authenticated access, and then leveraging SmarterMail administrative capabilities to execute OS-level commands. Huntress reported attackers creating malicious **System Events** to run reconnaissance commands and establish persistence, while watchTowr (which reported the issue to SmarterTools) received additional reports of exploitation in production environments. The reporting also notes this disclosure follows closely after another critical pre-auth SmarterMail issue (**CVE-2025-52691**), reinforcing that unpatched, internet-exposed SmarterMail deployments are being actively targeted.
Mar 21, 2026