SmarterMail fixed a CVSS 10 and told no one for two months

In October 2025, SmarterTools patched a CVSS 10.0 unauthenticated remote code execution vulnerability in SmarterMail. They assigned no CVE. They published no advisory. The release notes for Build 9413 said “IMPORTANT: Critical security fixes.” That was it. For the next two and a half months, every SmarterMail administrator who hadn’t happened to update was running a server with a single-request, no-auth path to SYSTEM-level code execution, and had no way of knowing it.

watchTowr found the silent fix in late December by diffing SmarterMail builds. They published the full technical analysis on January 8, 2026. CISA added CVE-2025-52691 to the KEV catalog on January 26. By then, Censys was counting 16,109 exposed and potentially vulnerable instances.

The bug

The vulnerability is in SmarterMail’s file upload API at POST /api/upload. The controller is marked [AllowAnonymous], so no authentication is required. The request accepts a contextData JSON blob with a guid property. The guid is passed directly into the file path construction with no sanitization. Set it to dag/../../../../../../../inetpub/wwwroot/shell, attach an .aspx web shell as the file body, and the shell lands in the IIS webroot. Visit the URL. SYSTEM.

No extension blocklist. No path validation. No authentication check. SmarterMail does run ClamAV on uploads, but watchTowr confirmed it didn’t catch a basic web shell payload. The entire attack is two HTTP requests: one POST to drop the shell, one GET to execute it.

CVSS 10.0: network-accessible, low complexity, no privileges, no user interaction, scope changed, full impact across confidentiality, integrity, and availability. It is difficult to score higher.

The silence

SmarterTools learned about the vulnerability from Chua Meng Han of Singapore’s Centre for Strategic Infocomm Technologies (CSIT), who reported it responsibly. The fix shipped in Build 9413 on October 9, 2025. The responsible part ended there.

No CVE was requested. No security advisory was published. No notification went to customers. The release notes said “critical security fixes,” a phrase that covers everything from an XSS in the help page to full pre-auth RCE. SmarterMail has no auto-update mechanism. Every installation requires a manual download-uninstall-reinstall cycle. An administrator who reads “critical security fixes” with no further context has to decide whether that warrants emergency maintenance or can wait for the next scheduled window. Without details, most will wait.

watchTowr discovered the silent fix roughly two months later by decompiling the .NET assemblies across builds. The diff between Build 9406 and Build 9413 showed new GUID validation logic in FileUploadController.Upload(). From the diff to a working exploit took them no time at all. The blog post title, “Do Smart People Ever Say They’re Smart?”, captures the thesis: if a security researcher can reverse-engineer the fix by diffing builds, so can an attacker. The silence protected no one who needed protecting.

Singapore’s CSA issued advisory AL-2025-124 on December 29, 2025. The CVE was assigned by CSA acting as CNA, not by SmarterTools. CISA added it to the KEV catalog on January 26, 2026, with a federal remediation deadline of February 16. That’s four months after the patch was available. Four months during which an administrator who skipped a routine update had no signal that their server carried the worst possible CVSS score.

This is not new and it keeps happening

Rapid7 published “The Hidden Harm of Silent Patches” in 2022. The argument is straightforward: a silent patch is full disclosure to exactly the wrong audience. Skilled attackers diff builds as a matter of routine. The people left in the dark are defenders, pen testers, SIEM teams, and detection vendors who rely on advisories to build signatures and triage patching priority.

Fortinet did the same thing in late 2025, shipping a fix for a critical FortiWeb flaw with no advisory. The vulnerability was already being exploited before Fortinet disclosed it. JetBrains tried it with TeamCity in 2024; Rapid7 rejected the approach and published full details independently.

SmarterTools’ case is worse in one respect. Fortinet and JetBrains are large vendors with security response teams; the silent patch was a deliberate strategy, defensible or not. SmarterTools appears to have simply not issued an advisory at all. No CVE request. No coordinated disclosure timeline. No customer notification. Just a build with vague release notes and silence.

SmarterTools CEO Tim Uzzanti later acknowledged the issue and said the company intended to begin proactive CVE notifications. The company does maintain a CVE portal page at portal.smartertools.com, but its content lags significantly behind discovery timelines.

The exposure math

Censys counted 16,109 exposed instances at time of disclosure. Shadowserver found 42.6% of scanned SmarterMail hosts had not patched to Build 9413 or later. Less than 1% patched in the first week after public disclosure.

SmarterMail’s primary market is web hosting providers and ISPs who resell mailboxes to SMB clients. One compromised hosting instance means every mailbox on that server: email content, attachments, calendars, contacts, admin credentials for all hosted domains. The blast radius is not one organization; it’s every downstream tenant.

And CVE-2025-52691 was just the first. Two more critical SmarterMail vulnerabilities (CVE-2026-23760 and CVE-2026-24423) were added to the KEV catalog within the next ten days. Storm-2603 used one of them to breach SmarterTools’ own infrastructure and deploy Warlock ransomware. Three independent unauthenticated RCE paths in one mail server product, all hitting the KEV catalog in under two weeks. CVE-2025-52691 was likely the vulnerability that put SmarterMail on attackers’ radar.

What to do about it

If you’re still below Build 9413: you are vulnerable to a public, weaponized, Metasploit-module-available RCE with no authentication requirement. Patch immediately. Current release is Build 9610.

Check for compromise. Scan your IIS webroot (C:\inetpub\wwwroot\) for unexpected .aspx, .ashx, .cer, or .soap files created after October 2025. Check IIS logs for POST /api/upload with path traversal sequences in the request body. Look for w3wp.exe spawning cmd.exe or powershell.exe. watchTowr published a Detection Artifact Generator on GitHub that can confirm exploitability non-destructively.

Set expectations for this vendor. SmarterMail has a documented pattern of pre-authentication vulnerabilities stretching back to at least 2019 (CVE-2019-7214, CVSS 9.8, .NET deserialization). The disclosure practices are not at the level that a product handling email for 15 million users should maintain. If you run SmarterMail, your patching cadence needs to account for the fact that critical fixes may ship without any indication of urgency.

The broader lesson is simpler. “Critical security fixes” in a release note, with no CVE and no advisory, is not disclosure. It’s the vendor equivalent of mumbling. The fix was there. The information was not. And for two months, the only people who could read between the lines were the people you least wanted reading them.

PatchDay Alert covered CVE-2026-24423, the ConnectToHub RCE from this same cluster, earlier this week. If you run SmarterMail, both posts apply to you.