vulnerability🌐InternationalThe Hacker News
CSA Issues Alert on Critical SmarterMail Bug Allowing Remote Code Execution
Tuesday, December 30, 2025
What
This critical flaw enables unauthenticated attackers to upload arbitrary files, including malicious binaries or web shells, to a mail server. Successful exploitation grants remote code execution with the same privileges as the SmarterMail service, posing a significant threat to affected organizations.
Where
SmarterTools SmarterMail email software, used by web hosting providers like ASPnix Web Hosting, Hostek, and simplehosting.ch.
When
Disclosed by CSA Singapore, patched on October 9, 2025 (Build 9413), with a newer update on December 18, 2025 (Build 9483).
Key Factors
- •The vulnerability, CVE-2025-52691, is an arbitrary file upload flaw in SmarterTools SmarterMail that achieves remote code execution without requiring any authentication.
- •With a CVSS score of 10.0, this flaw allows an unauthenticated attacker to upload dangerous file types like PHP files or web shells to any location on the mail server.
- •Exploitation could lead to the execution of malicious binaries or web shells with the same privileges as the SmarterMail service, enabling full system compromise.
Takeaways
- →Immediately update SmarterTools SmarterMail installations to Build 9413 or the latest Build 9483 to patch CVE-2025-52691.
- →Organizations using SmarterMail should review server logs for suspicious file uploads or unexpected process executions as a precautionary measure.
Read Full Article
Opens original article on The Hacker News
