PRP: SmarterMail CVE-2025-52691 Pre-Auth RCE

[learningat2002]

• Identifier of the vulnerability: CVE-2025-52691

• Affected software: SmarterTools SmarterMail

• Type of vulnerability: Pre-Authentication Remote Code Execution (Arbitrary File Write → RCE)

• Requires authentication: No

• Language you would use for writing the plugin: Templated plugins (sufficient, as the vulnerability is triggered through a deterministic HTTP request and does not require complex logic beyond request construction and response validation)

• Resources:

  • Research analysis by w/atchTowr Labs : https://labs.watchtowr.com/do-smart-people-ever-say-theyre-smart-smartertools-smartermail-pre-auth-rce-cve-2025-52691
  • Vendor advisory from the Cyber Security Agency of Singapore (CSA)

[github-actions]

Welcome to the Tsunami patch reward program!

Your issue has been added to our triage queue and will reviewed
shortly. The panel usually takes a decision once per week, so it
can take up to a week before you hear back from us.

Please, do not start the work until the panel has reached a
decision. Although we always welcome contributions, unapproved
work is not eligible for a reward.

~The Tsunami PRP team

[github-actions]

This message is addressed to the Tsunami panel.

Contributor stats

• The contributor has 0 issues tagged as main;
• The contributor has 0 issues tagged as queue.

Useful links

• All open issues from this contributor
• All open PRs from this contributor