Back to Community Threads
CVE
Problem reported by Tan - 12/28/2025 at 9:03 PM
Resolved
T
Hi

We just received alert about CVE-2025-52691 that it is affecting smartermail.

i cant find much information about this officially

https://www.csa.gov.sg/alerts-and-advisories/alerts/al-2025-124/
Update to a build later than 9413....
Gabriele Maoret - SERSIS Replied
12/29/2025 at 5:21 AM
I'm pretty happy with the latest 9483...
Gabriele Maoret - Head of SysAdmins and CISO at SERSIS Currently manages 6 SmarterMail installations (1 in the cloud for SERSIS which provides services to a few hundred third-party email domains + 5 on-premise for customers who prefer to have their mail server in-house)
D
David Jamell Replied
12/29/2025 at 2:06 PM
It would be good if someone from Smartertools could weigh in on this.
Derek Curtis Replied
12/30/2025 at 7:30 AM
Employee Post Marked As Resolution
As Brian mentioned, the fix was put in place in Build 9413. We worked with the investigators and had a fix already in place when they reached out to us. In addition, if memory serves, the steps for replication were rather intricate. 
Derek Curtis COO SmarterTools Inc. www.smartertools.com
J
J. LaDow Replied
12/30/2025 at 9:45 AM
And yet no public notice was ever issued to existing SM administrators about this?

You people patch something that allows unauthenticated uploads and possible RCE and there is no public notice anywhere?  I surely don't see ANYTHING in available release notes regarding this other than one line that states "General Security Fixes".

What are the hardening resolution steps other than a paid upgrade?

What are any indicators of compromise?

I have no words to describe how absolutely poorly this has been handled.

EDIT:

You know MailEnable may have been at a development standstill, but at least they provided security updates that didn't require hundreds if not thousands of dollars to acquire when in regards to vulnerabilities.  

You people might as well change your name to Microsoft and get it over with, considering actions like this...
MailEnable survivor / convert --
T
Tan Replied
12/30/2025 at 10:24 AM
Can I at least request which version it affect from as we might have some SM15 client too.
J
J. LaDow Replied
12/30/2025 at 10:27 AM
According to the CVE, it's ANY version of SM prior to 9413.


I'm so glad I spent close to a grand on software that has an unauthenticated file upload vulnerability and the only way to get a fix is to pay over 1k in upgrade fees. 

This is absolutely outrageous...

As of right now, we have to take our entire webmail interface offline, which will cost us clients because you people hid this when you knew about it.
MailEnable survivor / convert --
echoDreamz Replied
12/30/2025 at 11:59 AM
I'm so glad I spent close to a grand on software that has an unauthenticated file upload vulnerability and the only way to get a fix is to pay over 1k in upgrade fees.
Welcome to software development; where, bugs, vulns etc. exist and you have to pay annual upgrade and support fees and install new versions.

As of right now, we have to take our entire webmail interface offline, which will cost us clients because you people hid this when you knew about it.
No, you have to take it offline because you elected to not pay for upgrades and run (what sounds like) an EOL version of SmarterMail.

We had a similar situation with an FTP server product we use, we did not pay the upgrades fee and stayed on an older version (due to their API changing and the uppers not wanting to pay the upgrade fees + dev time to update our control panel). The older version had a fairly nasty CVE in the web interface; we had to kill off the web-based file access for a few weeks while our devs finalized the control panel changes for the new version.

Now, I will agree that SmarterTools has definitely did a poor job on communication here. When they received this, development should have gotten on it and notified customers via email about the vuln. and that a fix was inbound or available and how to tell if their server(s) have been exploited already. Running an EOL version of a product has risks and this is certainly one of them, I do not expect SmarterTools to lift a finger for releasing new versions of EOL software, especially, SmarterMail v15 which last had an update back in 2019. Frankly, if you are on EOL versions of software, especially those that are touching the Internet, you are asking for trouble.
J
J. LaDow Replied
12/30/2025 at 12:24 PM
Initial purchase was in May of 2023.  We stayed on the version we were on because upgrades were unusable for almost 6 months of our support agreement.  After that nightmare, there was no justification for paying a maintenance agreement for software we couldn't upgrade to without incurring loss of customers due to upgrades causing more problems than they were worth.  We're not some fortune 500 company that has thousands of dollars to burn and clients to spare when the shit hits the fan.

While I do agree with your statement on many aspects - I disagree that 1.5 years should be considered END OF LIFE on an Enterprise grade product.

Even Microsoft released security updates for exchange going back at least 2 full versions.

Regardless - the fact that NONE of this information was made available to SM administrators - and we had to find out from third parties is in-excusable. PERIOD.
MailEnable survivor / convert --
T
Tan Replied
12/30/2025 at 12:25 PM
@J. LaDow, I know but I would like to know more about the extend of the vulnerability as SmarterMail has so many features on their platform.

@Derek Curtis, mind sharing the extend of this issue?

@all Yes, we understand that upgrading would resolve the issue. However, please note that SmarterMail upgrades are not always smooth, so we need to plan and execute them in batches.

Additionally, some clients are on expired licenses. In those cases, we cannot simply insist on an upgrade by stating there is a CVE on an EOL product when we do not have an official CVE reference, and the information is based only on third-party sources.

I simply want to gather the necessary information so we can move forward with our clients appropriately. Any software can be affected by vulnerabilities or bugs; what matters is how we manage the situation, approach the issue, and ensure our clients are properly informed before they make a decision, which in turn allows us to plan accordingly.
j
josh levine Replied
12/30/2025 at 8:02 PM
Wow, huge policy error. There really should have been (still should be) a *critical* alert to all SM admins with full mitigation instructions. Almost unlimited potential harm, especially considering that SM service installs running in Local System account by default.
J
Jack. Replied
12/31/2025 at 5:45 AM
Yes, we need more information. Is there any possible mitigation for the vulnerability?

From which version does the vulnerability exist?
Sébastien Riccio Replied
1/2/2026 at 1:06 AM
Depending on how is the vulnerability exploited, it might be possible to add a filter in IIS or with a web application firewall, to reject calls to the precise vulnerable component URL and associated parameters.

If the vulnerability allows the uploading of a file anywhere on the system, there might be ways to add some regex filter on the file path variable to avoid this.

It's only speculation here though, but might an interesting to secure your server if you have no active subscription...
Sébastien Riccio System & Network Admin https://swisscenter.com
Robert G. Replied
1/2/2026 at 3:16 PM
I understand the need to validate facts, but listing Build 9413 as having only “General Fixes” raises concerns around transparency.

Can someone from SmarterTools leadership provide context on what occurred? While we recognize the issue has been fixed, understanding the root cause helps customers assess risk and maintain trust.

Additionally, it’s concerning that no proactive alert was sent to customers. Communicating security-impacting issues is a fundamental expectation for enterprise software providers.
GearHost.com
Richard Laliberte Replied
1/2/2026 at 4:49 PM
I'm thinking this is one of those general double edge swords. Smartermail is definitely not updated by everyone at every release, with many opting to remain on older, stable versions due to various bugs and such. We see it in the forums almost daily. 

So for this reason alone, i believe the team was correct in not listing it on the public updates instead of "General Fixes" Why give attacker that information if they don't already have it. I also agree that anyone running EOL installs is running at their own risk, as many have stated. 

As for patches for older versions before 9413... If you've read the forums, it's highly unlikely this is even an option (but who knows, maybe i'm wrong?)

But, I do agree with most of the feedback in this forum that emails should have been sent out to admins who are on some type of plan
Tim Uzzanti Replied
1/4/2026 at 11:01 AM
Employee Post
That is also our takeaway from this thread and will be our approach moving forward.
Tim Uzzanti CEO SmarterTools Inc. www.smartertools.com
Back to Community Threads

Reply to Thread

Enter the verification text
Related Knowledge Base Articles
Migrating SmarterMail to LinuxSmarterMail > Server Configuration and Management
SmarterMail for Linux – SSL/TLS & Certificate ReferenceSmarterMail > Server Configuration and Management
Set up SmarterMail as an IIS Site in IIS 10SmarterMail > Server Configuration and Management
Set up SmarterMail as an IIS Site in IIS 8SmarterMail > Server Configuration and Management
Key SmarterMail MilestonesSmarterMail