The Cyber Security Agency of Singapore (CSA) has issued a bulletin warning of a maximum-severity security flaw in SmarterTools SmarterMail email software that attackers could exploit to achieve remote code execution.
Specifically, the vulnerability, tracked as CVE-2025-52691, carries a CVSS score of 10.0. It stems from an arbitrary file upload issue that enables code execution without requiring any authentication.
“Successful exploitation of the vulnerability could allow an unauthenticated attacker to upload arbitrary files to any location on the mail server, potentially enabling remote code execution,” CSA said.
How Arbitrary File Uploads Enable Code Execution
In general, vulnerabilities of this kind allow attackers to upload dangerous file types that an application’s environment automatically processes. As a result, code execution can occur when the server interprets and executes the uploaded file as code, as commonly happens with PHP files.
In a hypothetical attack scenario, a bad actor could weaponize this vulnerability to place malicious binaries or web shells and then execute them with the same privileges as the SmarterMail service. Consequently, attackers could gain deep control over the affected mail server.
SmarterMail serves as an alternative to enterprise collaboration solutions like Microsoft Exchange and offers features such as secure email, shared calendars, and instant messaging. According to information listed on the website, web hosting providers including ASPnix Web Hosting, Hostek, and simplehosting.ch use the software.
CVE-2025-52691 impacts SmarterMail versions Build 9406 and earlier. SmarterTools addressed the issue in Build 9413, which the company released on October 9, 2025.
Discovery and Mitigation Guidance
CSA credited Chua Meng Han from the Centre for Strategic Infocomm Technologies (CSIT) for discovering and reporting the vulnerability.
Although the advisory does not indicate active exploitation in the wild, CSA advises users to update to the latest version—Build 9483, released on December 18, 2025—to ensure optimal protection.
Source: TheHackerNews
Read more at Impreza News
