Singapore’s CSA warns of CVE-2025-52691, a critical SmarterMail flaw enabling unauthenticated remote code execution via arbitrary file upload. Singapore’s Cyber Security Agency of Singapore (CSA) warns of a maximum severity flaw, tracked as CVE-2025-52691 (CVSS score of 10.0), in SmarterMail. The vulnerability enables unauthenticated remote code execution via arbitrary file upload. “Successful exploitation of the […

Singapore’s CSA warns of CVE-2025-52691, a critical SmarterMail flaw enabling unauthenticated remote code execution via arbitrary file upload.

Singapore’s Cyber Security Agency of Singapore (CSA) warns of a maximum severity flaw, tracked as CVE-2025-52691 (CVSS score of 10.0), in SmarterMail. The vulnerability enables unauthenticated remote code execution via arbitrary file upload.

“Successful exploitation of the vulnerability could allow an unauthenticated attacker to upload arbitrary files to any location on the mail server, potentially enabling remote code execution.” reads CSA’s advisory.

SmarterMail is a commercial email server software developed by SmarterTools.
It’s used by businesses, hosting providers, and ISPs to run their own mail servers instead of relying on cloud services like Microsoft 365 or Google Workspace.

The vulnerability impacts SmarterMail versions Build 9406 and earlier, CSA recommends users and administrators of affected product versions to update to SmarterMail version Build 9413 immediately.

Mr Chua Meng Han from the Centre for Strategic Infocomm Technologies (CSIT) responsibly disclosed the vulnerability.

At this time, it is unclear if the flaw is being exploited in attacks in the wild.

Follow me on Twitter: @securityaffairs and Facebook and Mastodon

Pierluigi Paganini

(SecurityAffairs – hacking, CSA)

Source: SecurityAffairs
Source Link: https://securityaffairs.com/186353/security/singapore-csa-warns-of-maximun-severity-smartermail-rce-flaw.html