CVE-2025-52691 (CVSS 10): Critical SmarterMail Flaw Opens Servers to Unauthenticated Attacks

The Cyber Security Agency of Singapore (CSA) has issued an urgent alert regarding a catastrophic vulnerability in SmarterMail, a popular enterprise alternative to Microsoft Exchange. The security flaw, which carries the maximum possible severity rating, could allow attackers to completely take over email servers without ever needing a password.

SmarterMail is widely used by organizations seeking a cost-effective collaboration server with “native MAPI support” and the ability to run on Windows or Linux environments. However, this flexibility has now come with a critical risk for administrators running older versions.

The vulnerability, tracked as CVE-2025-52691, has been assigned a CVSS score of 10 out of 10—a rating reserved for the most dangerous and easily exploitable security holes.

According to the advisory, the flaw lies in how the software handles file uploads. “Successful exploitation of the vulnerability could allow an unauthenticated attacker to upload arbitrary files to any location on the mail server, potentially enabling remote code execution”.

This means a remote hacker could upload a malicious script to the server and execute it, effectively handing them the keys to the kingdom. Since the attack requires no authentication, any server exposed to the internet is an immediate target.

The critical discovery was made by Singapore’s own cyber defenders. The CSA credited Mr. Chua Meng Han from the Centre for Strategic Infocomm Technologies (CSIT) for identifying the vulnerability.

The vulnerability affects a wide range of installations. Specifically, the advisory notes that “the vulnerability affects SmarterMail versions Build 9406 and earlier”.

SmarterTools has acted quickly to patch the hole. Administrators are strongly urged to stop what they are doing and patch their systems.

“Users and administrators of affected product versions are advised to update to SmarterMail version Build 9413 immediately,” the CSA warned.

Related Posts:

• Zero-Day Vulnerability: 18 Years of Exploiting the ‘0.0.0.0’ Flaw
• Severe Unauthenticated RCE Flaw (CVSS 9.9) in GNU/Linux Systems Awaiting Full Disclosure
• Microsoft will focus on building AI and cloud platforms in the future instead of Windows
• Now It Can Listen: Google Gemini Adds Support for Audio File Uploads