CVE-2025-52691

ENISA EUVD: EUVD-2025-205544 ↗

Exploited in the Wild ✓ Confirmed 0-Day

Triaged: March 5, 2026 4 articles Published: 2025-12-29

VulnLookup ↗ NVD ↗ EUVD ↗ MITRE ↗ CISA KEV ↗

EPSS Score

Source: FIRST.org · 2026-05-23

88.75%

probability

This CVE has a 88.75% probability of being exploited in the next 30 days.

0% Top 99.5th percentile of all CVEs 100%

CVSS v3.1

Source: VulnerabilityLookup (CIRCL)

CRITICAL

Attack Vector

Network

Attack Complexity

Low

Privileges Required

None

User Interaction

None

Scope

Changed

Confidentiality

High

Integrity

High

Availability

High

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H

Description

VulnerabilityLookup (CNA)

Successful exploitation of the vulnerability could allow an unauthenticated attacker to upload arbitrary files to any location on the mail server, potentially enabling remote code execution.

Affected Products

SmarterTools

SmarterMail

SmarterMail versions Build 9406 and earlier

smartertools

smartermail

SmarterTools

SmarterMail

SmarterMail versions Build 9406 and earlier

Attack Intelligence

CWE-434 · Unrestricted File Upload CWE-664 · Improper Control of a Resource Through its Lifetime CWE-669 · Incorrect Resource Transfer Between Spheres

Exploits & PoC

rxerium/CVE-2025-52691

Detection for CVE-2025-52691

19 2025-12-30

watchtowrlabs/watchTowr-vs-SmarterMail-CVE-2025-52691

19 2026-01-08

yt2w/CVE-2025-52691

3 2025-12-29

DeathShotXD/CVE-2025-52691-APT-PoC

An enhanced proof-of-concept exploit for CVE-2025-52691 (SmarterMail Arbitrary File Upload RCE) with APT-level features like stealth obfuscation, pers

3 2025-12-30

rimbadirgantara/CVE-2025-52691-poc

3 2025-12-30

you-ssef9/CVE-2025-52691

This repository contains a safe Proof of Concept (PoC) to detect vulnerable SmarterMail versions affected by CVE‑2025‑52691. The script performs vers

1 2025-12-30

nxgn-kd01/smartermail-cve-scanner

CVE-2025-52691 Scanner - Detects vulnerable SmarterMail installations (CVSS 10.0 RCE)

1 2026-01-05

mohammadzarnian1357/Ashwesker-CVE-2025-52691

CVE-2025-52691

0 2025-12-30

ninjazan420/CVE-2025-52691-PoC-SmarterMail-authentication-bypass-exploit-WT-2026-0001

CVE-2025-52691 PoC: Based on watchtowr's article WT-2026-0001 about an authentication bypass exploit, this one is a functional Python attack script.

0 2026-01-24

9 repos — triés par ⭐ Rechercher sur GitHub ↗

https://www.csa.gov.sg/alerts-and-advisories/alerts/al-2025-124/

Signal Intelligence

Confidenceⓘ

82%

EPSS 88.75%

CVSS v3.1 10

Mentions 4

Last Seen Feb 10, 2026

CNA Information

CNA Assigner

CSA

CNA Title

Upload Arbitrary Files

Analyst Note

CVE-2025-52691 in SmarterMail was actively exploited in the wild within two days of patch release (January 2026 breach confirmed). Exploitation clearly preceded or coincided with patch availability, meeting the critical zero-day criterion. High-profile use by Warlock ransomware and CSA alert (CVSS 10.0) reinforce severity, though direct patch timing documentation is limited.

Threat Actors 5

MuddyWater

apt_group Information theft and espionage 🇮🇷 IR

APT 28

apt_group Information theft and espionage 🇷🇺 RU

TAG-28

apt_group Information theft and espionage 🇨🇳 CN

Roaming Tiger

apt_group Information theft and espionage 🇨🇳 CN

White Bear

apt_group Information theft and espionage 🇷🇺 RU

Triage Info

Decided atMar 05, 2026

Published DateDec 29, 2025