Skip to main content
kcheung
Staff
kcheung
Staff
February 26, 2026

FortiGuard Outbreak Alert: SmarterTools SmarterMail RCE

  • February 26, 2026
  • 0 replies
  • 82 views
Description

SmarterTools SmarterMail is an on-premises email server and webmail solution designed as an alternative to Microsoft Exchange.


CVE-2025-52691 is an unauthenticated arbitrary file upload vulnerability in SmarterTools SmarterMail that allows an unauthenticated attacker to upload files to arbitrary locations on the mail server. This can result in files being written on sensitive paths (such as web-accessible directories or system libraries), potentially leading to remote code execution.


CVE-2025-52691 has been added to CISA’s Known Exploited Vulnerabilities (KEV) catalog as of January 26, 2026, indicating confirmed exploitation in the wild.


The following versions of SmarterTools SmarterMail are vulnerable to CVE-2025-52691:

  • < 9413
  • ≤ 16.3.6989.16341

CVE ID

CVE-2025-52691.

NDR Cloud Detection Rule

FortiNDR Cloud v26.1.a+

Detection Rule Name Category Primary MITRE ID
FortiGuard Outbreak Alert: SmarterTools SmarterMail Arbitrary File Upload - CVE-2025-52691 Attack: Exploitation T1190 - Exploit Public-Facing Application

Playbook 

 N/A.

Threat Hunting

 FortiNDR Cloud users can use the following IOCs from Fortinet to hunt for 'SmarterTools SmarterMail RCE' related activities.
IOC source: SmarterTools SmarterMail RCE | Indicators of Compromise.
All IOCs relating to 'SmarterTools SmarterMail RCE' have been added to FortiNDR Cloud Threat Intelligence Intel Feed.

Suricata Coverage

 Customers can create custom investigation/detections using the Suricata signatures below:
2066715 -> ET WEB_SPECIFIC_APPS SmarterTools SmarterMail Arbitrary File Upload Attempt (CVE-2025-52691)

Other Fortinet Products

 For more details regarding mitigating the vulnerability by utilizing Fortinet products, please refer to SmarterTools SmarterMail RCE.
Terms & ConditionsAccessibility statement