- SmarterMail patched CVE-2025-52691, a Maximum Severity RCE flaw that allows unauthorized arbitrary file uploads
- Exploitation can allow attackers to deploy web shells or malware, steal data and pivot deeper into networks
- No confirmed in-the-wild exploit yet, but unpatched servers remain prime targets as exploit details circulate
Business-grade email server software SmarterMail has just patched a maximum severity vulnerability that allowed threat actors to engage in remote code execution (RCE) attacks.
In a brief security advisory published on the Cyber Security Agency of Singapore (CSA) website, it was said that SmarterTools (the company behind SmarterMail) released a patch for CVE-2025-52691.
The National Vulnerability Database (NVD) does not describe the flaw in detail, but says that successful exploitation “could allow an unauthorized attacker to upload arbitrary files to any location on the mail server, potentially enabling remote code execution.”
A patch brings the tool to build 9413, and administrators are advised to upgrade as soon as possible.
Takeover of servers
In theory, this means that an attacker with no credentials and no user interaction can send a specially crafted request to the server, which it then accepts and stores on its file system. Since the upload is not properly validated, the attacker can drop files into directories where the server will run or load them.
This means that the attackers could upload a web shell, malware or a malicious script to take full control of the mail server. They can steal sensitive data, maintain persistent access, and even use the compromised server as an attack platform to pivot deeper into the network.
Furthermore, they can use the compromised servers to carry out phishing and spam campaigns or simply disrupt the availability of services.
So far, there is no evidence that this is actually happening. There are no reports of in-the-wild exploits, and the US Cybersecurity and Infrastructure Security Agency (CISA) has yet to add it to its catalog of known exploited vulnerabilities (KEV).
But just because a patch is released doesn’t mean the attacks aren’t coming. Many cybercriminals use patches as notifications of existing vulnerabilities and then target organizations that fail to patch on time (or at all).
The best antivirus for all budgets
Follow TechRadar on Google News and add us as a preferred source to get our expert news, reviews and opinions in your feeds. Be sure to click the Follow button!
And of course you can too follow TechRadar on TikTok for news, reviews, video unboxings, and get regular updates from us on WhatsApp also.
