CVE-2025-52691

CRITICAL 10.0

⚠️ CISA KEV

Upload Arbitrary Files

CVSS Score

10.0

EPSS Score

0.0%

EPSS Percentile

0th

Successful exploitation of the vulnerability could allow an unauthenticated attacker to upload arbitrary files to any location on the mail server, potentially enabling remote code execution.

Vendor	smartertools
Product	smartermail
Published	Dec 29, 2025
Last Updated	Feb 26, 2026

⚠️ Actively Exploited — Act Now

Get instant alerts for smartertools smartermail

This vulnerability is actively exploited in the wild. Set up free real-time alerts so you're first to know about threats like CVE-2025-52691.

Get Free Alerts → Free · No credit card · 60 sec setup

CVSS v3 Breakdown

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H

Attack Vector

Network

Attack Complexity

Low

Privileges Required

None

User Interaction

None

Scope

Changed

Confidentiality

High

Integrity

High

Availability

High

Affected Versions

SmarterTools / SmarterMail

SmarterMail versions Build 9406 and earlier

References

NVD ↗ CVE.org ↗ EPSS Data ↗

csa.gov.sg: https://www.csa.gov.sg/alerts-and-advisories/alerts/al-2025-124/ github.com: https://github.com/watchtowrlabs/watchTowr-vs-SmarterMail-CVE-2025-52691?ref=labs.watchtowr.com cisa.gov: https://www.cisa.gov/known-exploited-vulnerabilities-catalog?field_cve=CVE-2025-52691

Credits

Chua Meng Han