CVE-2025-52691: Critical Unauthenticated RCE Found in SmarterTools SmarterMail
A pre-authentication remote code execution vulnerability rated CVSS 10.0 has been disclosed in SmarterTools SmarterMail, silently patched in October 2025 but only publicly revealed in late December 2025.
SmarterTools SmarterMail, a business email and collaboration server marketed as an affordable Microsoft Exchange alternative, harbors a pre-authentication remote code execution (RCE) vulnerability tracked as CVE-2025-52691. The flaw carries a CVSS score of 10.0, the highest possible severity rating, and was silently patched in build 9413 released on October 10, 2025. The vulnerability only came to public attention after Singapore's Cyber Security Agency (CSA) released an advisory in late December 2025, leaving customers in the dark for nearly three months.
The vulnerability was discovered by Mr. Chua Meng Han from Singapore's Centre for Strategic Infocomm Technologies (CSIT). Researchers at watchTowr Labs performed a diff analysis between the vulnerable build 9406 and the patched build 9413 to identify the root cause. The critical change is validation added to GUID parameters in the `FileUploadController.Upload` method, which is registered at the `/api/upload` route and requires no authentication — the controller is decorated with `[AuthenticatedService(AllowAnonymous = true)]`.
The `FileUploadController` exposes an unauthenticated file upload endpoint that accepts `context` and `contextData` parameters from HTTP form data. The `contextData` parameter is deserialized from JSON into a `PostUploadProcessingTargetData` object via `JsonConvert.DeserializeObject`. When the file upload is marked as complete (`ReadPartStatus.DONE`), the server calls `UploadLogic.ProcessCompletedUpload`, passing the deserialized target data and the uploaded file stream. Because the GUID parameter validation was missing prior to build 9413, an attacker could craft malicious requests to manipulate the upload processing logic in ways that lead to code execution without any authentication.
SmarterMail is deployed as both on-premises software and a hosted service, running on Windows and Linux platforms. Given its role as a business email and collaboration server handling potentially sensitive communications and attachments, the impact of successful exploitation is severe. An unauthenticated attacker achieving RCE could compromise the entire mail server, pivot to internal networks, exfiltrate data, or deploy ransomware. The CVSS 10.0 rating reflects the ease of exploitation and critical impact on confidentiality, integrity, and availability.
SmarterTools fixed the issue in build 9413 on October 10, 2025, with release notes vaguely citing "general security fixes." The newest build is 9483 at the time of disclosure, meaning patched builds were available for months. However, the silent patching approach means many customers may not have prioritized updating without awareness of the severity. watchTowr Labs noted the concerning pattern: "Did this really happen? Is it possible someone figured this out before the advisory and went under the radar?"
No active exploitation in the wild has been reported publicly as of the advisory date, but given the attack vector's simplicity and the lengthy gap between the fix and public disclosure, the risk of attackers reverse-engineering the patch and developing exploits is significant. Organizations running SmarterMail should urgently verify they are on build 9413 or later. CISA has not yet added CVE-2025-52691 to its Known Exploited Vulnerabilities catalog, but the high severity and pre-authentication nature make it a strong candidate.
This incident adds to a growing list of cases where vendors silently patch critical vulnerabilities without transparency, leaving customers exposed. The disclosure lag between fix and advisory highlights ongoing tensions in vulnerability management. Security teams relying on release notes would have found no actionable information in "general security fixes," underscoring the need for more responsible disclosure practices — even when the fix predates public awareness.