Share
## https://sploitus.com/exploit?id=6606FF86-B0C3-5F79-86FC-D1ECF954E132
# CVE-2025-52691

**SmarterMail Unauthenticated Arbitrary File Upload RCE**

## Overview

Critical unauthenticated arbitrary file upload allowing remote code execution.

| Field | Value |
|-------|-------|
| Product | SmarterMail |
| Affected | Build 9406 and earlier |
| CVSS | 10.0 (Critical) |
| Type | Arbitrary File Upload |
| Vector | HTTP (unauthenticated) |
| Impact | Remote Code Execution |

## Attack Flow

```mermaid
flowchart LR
    A[Attacker] --> B["Find Upload Endpoint"]
    B --> C["/api/upload"]
    C --> D["Upload ASPX Shell"]
    D --> E["Path Traversal"]
    E --> F["../wwwroot/"]
    F --> G["Access Shell"]
    G --> H["RCE as IIS User"]
```

## Technical Details

The vulnerability allows unauthenticated attackers to upload arbitrary files to any server location. By uploading an ASPX webshell to the webroot, attackers achieve code execution.

**Attack Steps:**
1. Upload ASPX webshell via vulnerable endpoint
2. Use path traversal to write to wwwroot
3. Access uploaded shell via HTTP
4. Execute arbitrary commands

## Usage

```bash
python exploit.py https://mail.target.com

python exploit.py https://mail.target.com -c "whoami"

python exploit.py https://mail.target.com -c "net user"
```

## Parameters

| Flag | Description | Default |
|------|-------------|---------|
| `-c, --command` | Command to execute | none |
| `-t, --timeout` | Request timeout | 30 |
| `--check-only` | Only check if alive | off |

## Requirements

```
requests
```

## Mitigation

- Update to SmarterMail Build 9413 or later
- Restrict access to management interfaces
- Implement WAF rules

## Disclaimer

For authorized security testing only.