Share
## https://sploitus.com/exploit?id=1665D1BB-B212-5282-B8B1-17C2F737F4DF
# CVE-2025-52691 SmarterMail Pre-Auth RCE

SmarterMail Pre-Auth RCE 1day Detection Artifact Generator Tool
 

# Detection in Action

Detection Artifact Generator attempts to write the .aspx file to the `C:\Program Files (x86)\SmarterTools\SmarterMail\Service\App_Data` directory (builds 94xx) or `C:\Program Files (x86)\SmarterTools\SmarterMail\MRS\App_Data` directory (build 16). This does not lead to Remote Code Execution, it just proves exploitability.

Script was tested on:
* Windows Server based installations
* With builds 94xx and older build 16.

Some older builds (like SmarterMail 15) were not tested.

Sample run against vulnerable instance:

```
$ python3 .\watchTowr-vs-SmarterMail-CVE-2025-52691.py -H http://smartermail.lab:9998
                         __         ___  ___________
         __  _  ______ _/  |__ ____ |  |_\__    ____\____  _  ________
         \ \/ \/ \__  \    ___/ ___\|  |  \|    | /  _ \ \/ \/ \_  __ \
          \     / / __ \|  | \  \___|   Y  |    |(   \     / |  | \/
           \/\_/ (____  |__|  \___  |___|__|__  | \__  / \/\_/  |__|
                                  \/          \/     \/

        watchTowr-vs-SmarterMail-CVE-2025-52691.py
        (*) CVE-2025-52691 Detection Artifact Generator: SmarterMail Path Traversal Leading to Unauthenticated RCE

          - Piotr (@chudyPB) and Sina Kheirkhah (@SinSinology) of watchTowr (@watchTowrcyber)

[+] VULNERABLE - file epoyn5_0.aspx got uploaded
```

Sample run against patched instance:

```
$ python3 .\watchTowr-vs-SmarterMail-CVE-2025-52691.py -H http://smartermail.lab:9998
                         __         ___  ___________
         __  _  ______ _/  |__ ____ |  |_\__    ____\____  _  ________
         \ \/ \/ \__  \    ___/ ___\|  |  \|    | /  _ \ \/ \/ \_  __ \
          \     / / __ \|  | \  \___|   Y  |    |(   \     / |  | \/
           \/\_/ (____  |__|  \___  |___|__|__  | \__  / \/\_/  |__|
                                  \/          \/     \/

        watchTowr-vs-SmarterMail-CVE-2025-52691.py
        (*) CVE-2025-52691 Detection Artifact Generator: SmarterMail Path Traversal Leading to Unauthenticated RCE

          - Piotr (@chudyPB) and Sina Kheirkhah (@SinSinology) of watchTowr (@watchTowrcyber)

[-] NOT VULNERABLE - patch applied (INVALID_GUID error message appeared)
```


# Description

This script attempts to detect if SmarterMail is vulnerable to CVE-2025-52691 Pre-Auth RCE.


# Affected Versions

`< SmarterMail 9413`

`<= SmarterMail 16.3.6989.16341`


# Follow [watchTowr](https://watchTowr.com) Labs

For the latest security research follow the [watchTowr](https://watchTowr.com) Labs Team 

- https://labs.watchtowr.com/

- https://x.com/watchtowrcyber