Executive Summary

On December 28, 2025, NIST published a critical file upload vulnerability affecting SmarterTools SmarterMail server. The flaw, documented as CVE-2025-52691, carries a maximum CVSS score of 10 and allows remote unauthenticated attackers the ability to upload malicious files to the mail server, potentially leading to remote code execution.

This vulnerability could enable sensitive data exfiltration, and compromise of the system to facilitate further attacks against affected organizations. Shortly after the vulnerability was published, proof of concept exploit code was also publicly released.

Because mail servers are typically exposed directly to the internet to handle email traffic, Beazley Security recommends organizations patch immediately.

Affected Systems or Products

Mitigations / Workarounds

No mitigations have been made available at the time of this advisory from SmarterTools, however security updates have been released to address this vulnerability.

Given the internet facing nature of these appliances and criticality of vulnerability, updating to SmarterMail Build 9413 or later is strongly recommended.

Patches

Patches addressing CVE-2025-52691 are available in Build 9413 or later. Organizations should install security updates as soon as possible. Release notes have been made available on the SmarterTools website, and new software downloads are made available here.

Indicators of Compromise

At the time of this writing, SmarterTools have not officially released any indicators of compromise and there are no public reports of exploitation in the wild. However as the vulnerability allows for malicious file uploads, BSL recommends checking for signs of compromise by reviewing directories hosting the SmarterMail server for unexpected or malicious files, and suspicious posts to SmarterMail hosted web portals. Especially to the following endpoints:

• 

  /api/upload

• 

  /api/v1/upload

• 

  /Interface/Frmx/UploadFile.aspx

• 

  /MRS/Upload.ashx

• 

  /Services/Upload.ashx

Technical Details

At the time of this writing, SmarterTools have not yet publicly provided technical details regarding this vulnerability, however vulnerability disclosures from CSA Singapore classify CVE-2025-52691 as a critical arbitrary file upload vulnerability within SmarterMail server builds 9406 and earlier.

The vulnerability can be exploited by a remote, unauthenticated attacker and used to upload files to any location on an affected mail server without credentials. As the vulnerability permits uploading files to upload directories, attackers could place malicious executables or webshells that are able to execute under the same privileges of the SmarterMail service which could then be accessed remotely.

Shortly after release of this vulnerability, proof of concept exploit code surfaced on github which appear to attack web components of the SmarterMail server by attempting to place a concept ASPX webshell to these endpoints:

"/api/upload",

"/api/v1/upload",

"/Interface/Frmx/UploadFile.aspx",

"/MRS/Upload.ashx",

"/Services/Upload.ashx"

suggesting the vulnerability might allow files to be uploaded to the system at those locations and then accessed to run commands to further compromise a server.

How Beazley Security is responding

Beazley Security is monitoring client perimeter devices through our Exposure Management Platform to identify impacted devices and support organizations in remediation of any issues found.

We are also conducting threat hunts across our MDR environment to detect potential exploitation attempts against our clients.

If you believe your organization may have been impacted by this attack campaign and need support, please contact our Incident Response team.

Sources

• 

  https://www.smartertools.com/smartermail/release-notes/current

• 

  https://www.smartertools.com/smartermail/downloads

• 

  https://www.csa.gov.sg/alerts-and-advisories/alerts/al-2025-124/

• 

  https://github.com/yt2w/CVE-2025-52691