8000+ SmarterMail Hosts Vulnerable to RCE Attack – PoC Exploit

More than 8,000 internet-exposed SmarterMail servers remain vulnerable to a critical remote code execution flaw, CVE-2025-52691. Scans conducted on January 12, 2026, confirmed this widespread exposure.

Security researchers identified 8,001 unique IP addresses likely affected out of 18,783 exposed instances, with proof-of-concept exploits now publicly available. This maximum-severity vulnerability poses severe risks to organizations relying on the email platform for enterprise communications.​

CVE-2025-52691 stems from an unauthenticated arbitrary file upload flaw in SmarterMail versions Build 9406 and earlier. Attackers can upload malicious files to any server location without credentials, enabling remote code execution under the service’s privileges.

The National Vulnerability Database (NVD) assigns it a CVSS v3.1 score of 10.0 with the vector AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H, marking it as critically exploitable over the network with low complexity.

Successful exploitation allows full server compromise, data exfiltration, webshell deployment, or lateral movement. Disclosed in late December 2025, the flaw prompted alerts from agencies including Singapore’s Cyber Security Agency (CSA) and Belgium’s CCB.x+3​

Shadowserver UK’s latest dashboard reveals widespread exposure, with the United States hosting around 5,000 vulnerable instances, followed by the UK and Malaysia.

Scans confirm 42.6% of exposed SmarterMail hosts (8,001/18,783) fail vulnerability checks, likely due to delayed patching. Censys reported similar figures earlier, noting over 16,000 exposed globally, predominantly in the US (12,500+).

Public PoCs on platforms like Sploitus demonstrate simple HTTP requests for file uploads, escalating to RCE via ASPX webshells. No widespread in-the-wild exploitation is confirmed yet, but the public exploits heighten risks for unpatched mail servers directly internet-facing.

Administrators must upgrade to SmarterMail Build 9413 or later, ideally the newest Build 9483, for remediation. Interim steps include restricting external access to admin interfaces, monitoring logs for anomalous uploads, and scanning for IOCs like unexpected files in executable directories.

Organizations should verify exposure via tools like Shadowserver reports and prioritize email infrastructure in patch management.

This vulnerability underscores the dangers of unpatched email servers, potentially enabling spam relays, phishing bases, or ransomware vectors. With CVSS perfection and easy exploits, rapid action is essential to avert breaches.

Disclaimer: HackersRadar reports on cybersecurity threats and incidents for informational and awareness purposes only. We do not engage in hacking activities, data exfiltration, or the hosting or distribution of stolen or leaked information. All content is based on publicly available sources.