The Cyber Security Agency of Singapore (CSA) has issued a bulletin warning of a maximum-severity security flaw in SmarterTools SmarterMail email software that could be exploited to achieve remote code execution.
The vulnerability, tracked as CVE-2025-52691, carries a CVSS score of 10.0. It relates to a case of arbitrary file upload that could enable code execution without requiring any authentication.
"Successful exploitation of the vulnerability could allow an unauthenticated attacker to upload arbitrary files to any location on the mail server, potentially enabling remote code execution," CSA said.
Vulnerabilities of this kind allow the upload of dangerous file types that are automatically processed within an application's environment. This could pave the way for code execution if the uploaded file is interpreted and executed as code, as is the case with PHP files.
In a hypothetical attack scenario, a bad actor could weaponize this vulnerability to place malicious binaries or web shells that could be executed with the same privileges as the SmarterMail service.
SmarterMail is an alternative to enterprise collaboration solutions like Microsoft Exchange, offering features like secure email, shared calendars, and instant messaging. According to information listed on the website, it's used by web hosting providers like ASPnix Web Hosting, Hostek, and simplehosting.ch.
CVE-2025-52691 impacts SmarterMail versions Build 9406 and earlier. It has been addressed in Build 9413, which was released on October 9, 2025.
CSA credited Chua Meng Han from the Centre for Strategic Infocomm Technologies (CSIT) for discovering and reporting the vulnerability.
While the advisory makes no mention of the flaw being exploited in the wild, users are advised to update to the latest version (Build 9483, released on December 18, 2025) for optimal protection.
Update
Attack surface management platform Censys said it's observing nearly 16,000 internet-exposed hosts that are potentially vulnerable to the flaw. Of these, more than 12,500 instances are located in the U.S., followed by Malaysia (784), Iran (348), India (321), the U.K. (292), and Germany (205).
Update
In a technical analysis published on January 8, 2026, watchTowr said the problem is rooted in an API controller named "SmarterMail.Web.Api.FileUploadController.Upload()" that's registered to the "/api/upload" route. This API, in turn, enables the upload of ICS files, attachments, and notes.
Further analysis has determined that it's possible to send a specially crafted request to the "api/upload" endpoint with the Content-Type header set to "multipart/form-data" to upload a file and achieve a full unauthenticated file write on SmarterMail by taking advantage of the fact that a parameter named GUID is susceptible to path traversal.
As a result, an attacker can send an HTTP request with the GUID parameter set to a specific value (e.g., "dag/../../../../../../../../../../../../../../../inetpub/wwwroot/watchTowr") to upload a web shell to the instance and obtain code execution.
"As an aside, it seems that SmarterMail scans all the attachments with ClamAV," researchers Piotr Bazydlo and Sina Kheirkhah said. "However, either ClamAV is unable to recognize a basic webshell payload (possible), or SmarterMail is unable to process ClamAV results."
(The story was updated after publication on January 9, 2026, to include additional technical details of the flaw from watchTowr.)
