"The Cyber Security Agency of Singapore (CSA) has issued a bulletin warning of a maximum-severity security flaw in SmarterTools SmarterMail email software that could be exploited to achieve remote code execution. The vulnerability, tracked as CVE-2025-52691, carries a CVSS score of 10.0. It relates to a case of arbitrary file upload that could enable code execution without requiring any authentication."
"Vulnerabilities of this kind allow the upload of dangerous file types that are automatically processed within an application's environment. This could pave the way for code execution if the uploaded file is interpreted and executed as code, as is the case with PHP files. In a hypothetical attack scenario, a bad actor could weaponize this vulnerability to place malicious binaries or web shells that could be executed with the same privileges as the SmarterMail service."
An unauthenticated arbitrary file upload vulnerability in SmarterTools SmarterMail (CVE-2025-52691) carries a CVSS score of 10.0 and can enable remote code execution. Successful exploitation allows an attacker to upload arbitrary files to any location on the mail server, potentially enabling execution of malicious binaries or web shells with the same privileges as the SmarterMail service. The flaw affects SmarterMail Build 9406 and earlier and was addressed in Build 9413 released October 9, 2025. Users are advised to update to the latest release for optimal protection; Build 9483 was released December 18, 2025. The discovery was credited to Chua Meng Han of CSIT.
Read at The Hacker News
Unable to calculate read time
Collection
[
|
...
]