Share
## https://sploitus.com/exploit?id=1665D1BB-B212-5282-B8B1-17C2F737F4DF
# CVE-2025-52691 SmarterMail Pre-Auth RCE
SmarterMail Pre-Auth RCE 1day Detection Artifact Generator Tool
# Detection in Action
Detection Artifact Generator attempts to write the .aspx file to the `C:\Program Files (x86)\SmarterTools\SmarterMail\Service\App_Data` directory (builds 94xx) or `C:\Program Files (x86)\SmarterTools\SmarterMail\MRS\App_Data` directory (build 16). This does not lead to Remote Code Execution, it just proves exploitability.
Script was tested on:
* Windows Server based installations
* With builds 94xx and older build 16.
Some older builds (like SmarterMail 15) were not tested.
Sample run against vulnerable instance:
```
$ python3 .\watchTowr-vs-SmarterMail-CVE-2025-52691.py -H http://smartermail.lab:9998
__ ___ ___________
__ _ ______ _/ |__ ____ | |_\__ ____\____ _ ________
\ \/ \/ \__ \ ___/ ___\| | \| | / _ \ \/ \/ \_ __ \
\ / / __ \| | \ \___| Y | |( \ / | | \/
\/\_/ (____ |__| \___ |___|__|__ | \__ / \/\_/ |__|
\/ \/ \/
watchTowr-vs-SmarterMail-CVE-2025-52691.py
(*) CVE-2025-52691 Detection Artifact Generator: SmarterMail Path Traversal Leading to Unauthenticated RCE
- Piotr (@chudyPB) and Sina Kheirkhah (@SinSinology) of watchTowr (@watchTowrcyber)
[+] VULNERABLE - file epoyn5_0.aspx got uploaded
```
Sample run against patched instance:
```
$ python3 .\watchTowr-vs-SmarterMail-CVE-2025-52691.py -H http://smartermail.lab:9998
__ ___ ___________
__ _ ______ _/ |__ ____ | |_\__ ____\____ _ ________
\ \/ \/ \__ \ ___/ ___\| | \| | / _ \ \/ \/ \_ __ \
\ / / __ \| | \ \___| Y | |( \ / | | \/
\/\_/ (____ |__| \___ |___|__|__ | \__ / \/\_/ |__|
\/ \/ \/
watchTowr-vs-SmarterMail-CVE-2025-52691.py
(*) CVE-2025-52691 Detection Artifact Generator: SmarterMail Path Traversal Leading to Unauthenticated RCE
- Piotr (@chudyPB) and Sina Kheirkhah (@SinSinology) of watchTowr (@watchTowrcyber)
[-] NOT VULNERABLE - patch applied (INVALID_GUID error message appeared)
```
# Description
This script attempts to detect if SmarterMail is vulnerable to CVE-2025-52691 Pre-Auth RCE.
# Affected Versions
`< SmarterMail 9413`
`<= SmarterMail 16.3.6989.16341`
# Follow [watchTowr](https://watchTowr.com) Labs
For the latest security research follow the [watchTowr](https://watchTowr.com) Labs Team
- https://labs.watchtowr.com/
- https://x.com/watchtowrcyber