Share
## https://sploitus.com/exploit?id=FA874BEE-7043-529F-905E-A808D4D7A2E3
# CVEโ€‘2025โ€‘52691 โ€“ SmarterMail Arbitrary File Upload Vulnerability

## Overview
CVEโ€‘2025โ€‘52691 is a critical **unauthenticated arbitrary file upload** flaw that affects SmarterMail servers (build 9406 and earlier).  
An attacker can upload any file to any location on the server without authentication, which can lead to remote code execution (RCE) if the uploaded file is a webshell or a malicious binary.

---

## Technical Details
- **Target:** SmarterTools SmarterMail (Build 9406 and older).  
- **Exploit vector:** The server accepts file uploads from an unauthenticated endpoint.  
- **Result:** The attacker can place an ASPX webshell in the webroot (`wwwroot`) and execute arbitrary commands.

---

## Attack Flow
1. **Upload an ASPX webshell** to the vulnerable endpoint.  
2. **Use path traversal** to write the file to the `wwwroot` directory.  
3. **Access the uploaded shell** via a web browser.  
4. **Execute arbitrary commands** on the server.

---


## Installation

The exploit script depends on a few Python packages.  Install them before running the
script:

```bash
pip install -r requirements.txt
```
---

## Usage

The provided `exploit.py` script automates the steps above.

```bash
# Basic usage: upload a shell and try to reach the target
python exploit.py https://example.com

# Execute a command after uploading the shell
python exploit.py https://example.com -c "whoami"

# Run a command that creates a new local user
python exploit.py https://example.com -c "net user"
```

### Parameters

| Flag | Description | Default |
|------|-------------|---------|
| `-c, --command` | Command to execute on the target after uploading the shell. If omitted, the script only uploads the shell. | *none* |
| `-t, --timeout` | HTTP request timeout in seconds. | 30 |
| `--check-only` | Verify that the target is vulnerable **without** uploading a shell. | off |

---

## Remediation
- Update SmarterMail to a **build newer than 9406**.  
- Apply the official patch released by SmarterTools.  
- Disable unauthenticated file uploads or restrict them to safe directories.

---

## File Reference
The vulnerability is demonstrated in the following file:

- `exploit.py` โ€“ Contains the exploit logic and result enumeration (`ExploitResult`).