Over 8,000 SmarterMail Servers at Risk: Critical RCE Vulnerability Exposed
A critical security flaw, identified as CVE-2025-52691, has been discovered in SmarterMail servers, leaving over 8,000 internet-exposed instances vulnerable to remote code execution (RCE) attacks. This vulnerability, stemming from an unauthenticated arbitrary file upload flaw, poses significant risks to organizations relying on SmarterMail for enterprise communications.
Vulnerability Details:
– CVE ID: CVE-2025-52691
– Description: Unauthenticated arbitrary file upload leading to RCE
– CVSS Score: 10.0 (Critical)
– Affected Versions: SmarterMail Build 9406 and earlier
– Fixed Version: Build 9413 and later
– CWE: CWE-434 (Unrestricted Upload of File with Dangerous Type)
The flaw allows attackers to upload malicious files to any server location without credentials, enabling remote code execution under the service’s privileges. Successful exploitation can lead to full server compromise, data exfiltration, webshell deployment, or lateral movement within the network.
Current Exposure:
As of January 12, 2026, security scans have identified 8,001 unique IP addresses likely affected out of 18,783 exposed instances. The United States hosts approximately 5,000 vulnerable instances, followed by the UK and Malaysia. Public proof-of-concept exploits are now available, increasing the urgency for remediation.
Recommended Actions:
– Immediate Upgrade: Administrators should upgrade to SmarterMail Build 9413 or later, preferably the latest Build 9483.
– Restrict Access: Limit external access to administrative interfaces.
– Monitor Logs: Regularly check logs for anomalous uploads.
– Scan for IOCs: Look for indicators of compromise, such as unexpected files in executable directories.
Organizations should verify their exposure using tools like Shadowserver reports and prioritize patching their email infrastructure to mitigate potential threats.
