This SmarterMail vulnerability allows Remote Code Execution - here's what we know

News
By published

A maximum-severity flaw was just patched

Close up of a person touching an email icon.
Image Credit: Pixabay (Image credit: Geralt / Pixabay)
  • SmarterMail patched CVE-2025-52691, a maximum-severity RCE flaw allowing unauthenticated arbitrary file uploads
  • Exploitation could let attackers deploy web shells or malware, steal data, and pivot deeper into networks
  • No confirmed in-the-wild abuse yet, but unpatched servers remain prime targets once exploit details circulate

Business-grade email server software SmarterMail just patched a maximum-severity vulnerability that allowed threat actors to engage in remote code execution (RCE) attacks.

In a short security advisory published on the Cyber Security Agency of Singapore (CSA) website, it was said that SmarterTools (the company behind SmarterMail) released a patch for CVE-2025-52691.

The National Vulnerability Database (NVD) does not describe the bug in detail but says that successful exploitation “could allow an unauthenticated attacker to upload arbitrary files to any location on the mail server, potentially enabling remote code execution.”

A patch brings the tool to build 9413, and admins are advised to upgrade as soon as possible.

Taking over servers

In theory, it means that an attacker with no credentials and no user interaction can send a specially crafted request to the server, which it then accepts and stores on its file system. Since the upload isn’t properly validated, the attacker can drop files in directories where the server will run or load them.

This means that the attackers could upload a web shell, malware, or a malicious script to take full control of the mail server. They can steal sensitive data, maintain persistent access, and even use the compromised server as an attack platform to pivot deeper into the network.

Furthermore, they can use the compromised servers to conduct phishing and spam campaigns, or simply disrupt service availability.

So far, there is no evidence that it is actually happening. There are no reports of in-the-wild abuse, and the US Cybersecurity and Infrastructure Security Agency (CISA) did not add it to its Known Exploited Vulnerabilities (KEV) catalog yet.

However, just because a patch is released, that doesn’t mean the attacks won’t come. Many cybercriminals use patches as notifications of existing vulnerabilities, and then target organizations that don’t patch on time (or at all).

Best antivirus software header
The best antivirus for all budgets

➡️ Read our full guide to the best antivirus
1. Best overall:
Bitdefender Total Security
2. Best for families:
Norton 360 with LifeLock
3. Best for mobile:
McAfee Mobile Security

Follow TechRadar on Google News and add us as a preferred source to get our expert news, reviews, and opinion in your feeds. Make sure to click the Follow button!

And of course you can also follow TechRadar on TikTok for news, reviews, unboxings in video form, and get regular updates from us on WhatsApp too.

Sead Fadilpašić

Sead is a seasoned freelance journalist based in Sarajevo, Bosnia and Herzegovina. He writes about IT (cloud, IoT, 5G, VPN) and cybersecurity (ransomware, data breaches, laws and regulations). In his career, spanning more than a decade, he’s written for numerous media outlets, including Al Jazeera Balkans. He’s also held several modules on content writing for Represent Communications.

You must confirm your public display name before commenting

Please logout and then login again, you will then be prompted to enter your display name.