Singapore's Cyber Security Agency has warned of a maximum-severity arbitrary file upload vulnerability in SmarterTools SmarterMail email software, tracked as CVE-2025-52691, which could be leveraged to facilitate unauthenticated code execution, The Hacker News reports.
Threat actors could harness the flaw, which was discovered and reported by Centre for Strategic Infocomm Technologies' Chua Meng Han, to run illicit binaries or web shells with the same privileges as SmarterMail, which is used by ASPnix Web Hosting, simplehosting.ch, Hostek, and other web hosting providers.
"Successful exploitation of the vulnerability could allow an unauthenticated attacker to upload arbitrary files to any location on the mail server, potentially enabling remote code execution," said CSA.
While active attacks involving the issue have not been reported, organizations have been urged to promptly update their SmarterMail versions Build 9406 and earlier to Build 9413 to ensure protection against possible compromise.
Threat actors could harness the flaw, which was discovered and reported by Centre for Strategic Infocomm Technologies' Chua Meng Han, to run illicit binaries or web shells with the same privileges as SmarterMail, which is used by ASPnix Web Hosting, simplehosting.ch, Hostek, and other web hosting providers.
"Successful exploitation of the vulnerability could allow an unauthenticated attacker to upload arbitrary files to any location on the mail server, potentially enabling remote code execution," said CSA.
While active attacks involving the issue have not been reported, organizations have been urged to promptly update their SmarterMail versions Build 9406 and earlier to Build 9413 to ensure protection against possible compromise.




