The Cyber Security Authority of Singapore (CSA) has issued a bulletin warning of a maximum severity security flaw in the SmarterTools SmarterMail email software that could be exploited to lead to remote code execution.
This vulnerability is tracked as CVE-2025-52691 and has a CVSS score of 10.0. This is relevant in the case of arbitrary file uploads that allow code execution without requiring authentication.
“Successful exploitation of this vulnerability could allow an unauthenticated attacker to upload arbitrary files to arbitrary locations on the mail server, potentially leading to remote code execution,” CSA said.
This type of vulnerability could allow dangerous file types to be uploaded that are automatically processed within the application’s environment. This could pave the way for code execution if the uploaded file is interpreted as code and executed, as is the case with PHP files.
In a hypothetical attack scenario, a malicious attacker could exploit this vulnerability to deploy a malicious binary or web shell that can run with the same privileges as the SmarterMail service.
SmarterMail provides secure email, shared calendars, instant messaging, and other features as an alternative to enterprise collaboration solutions such as Microsoft Exchange. According to the information provided on the website, it is used by web hosting providers such as ASPnix Web Hosting, Hostek, and simplehosting.ch.
CVE-2025-52691 affects SmarterMail versions build 9406 and earlier. This issue was resolved in build 9413, released on October 9, 2025.
CSA credits Chua Meng Han of the Center for Strategic Information and Communications Technology (CSIT) for discovering and reporting the vulnerability.
The advisory does not mention that this flaw is being exploited, but recommends that users update to the latest version (build 9483, released on December 18, 2025) for optimal protection.
Source link
