Threat Signal Report

SmarterTools SmarterMail RCE

What is the Vulnerability?	An actively targeted vulnerability has been identified in SmarterTools SmarterMail, tracked as CVE-2025-52691, with a CVSS score of 10.0 (Critical). The flaw allows unauthenticated attackers to upload arbitrary files to any location on the mail server, potentially resulting in remote code execution (RCE). SmarterTools SmarterMail is an email and collaboration server positioned as an alternative to Microsoft Exchange. CVE-2025-52691 has been added to CISA’s Known Exploited Vulnerabilities (KEV) catalog as of January 26, 2026, indicating confirmed exploitation in the wild. Successful exploitation could allow threat actors to gain full control of the affected mail server, deploy web shells, establish persistence, and pivot deeper into the environment. Public technical analysis and exploit research indicate active attacker interest and weaponization.
What is the recommended Mitigation?	• The vulnerability affects SmarterMail versions build 9406 and earlier. Immediately upgrade SmarterMail to the latest patched version provided by SmarterTools • Restrict external access to SmarterMail management interfaces where possible. • Monitor for indicators of compromise, including unexpected file uploads, new web-accessible files, and anomalous process execution. • Conduct a post-patch security review to identify potential prior exploitation.
What FortiGuard Coverage is available?	• FortiGuard Intrusion Prevention System (IPS) Service: FortiGuard IPS Service is available to detect and block exploit attempts targeting CVE-2025-52691. Intrusion Prevention \| FortiGuard Labs • FortiGuard Antivirus & Behavior Detection: Delivers protection against known malware and uses advanced behavioral analysis to detect and block unknown threats. • Indicators of Compromise (IOCs) Service: FortiGuard Labs has blocked all known linked IOCs, and the team is continuously monitoring for emerging threats and new IOCs. • FortiGuard Incident Response: Organizations suspecting a compromise can contact the FortiGuard Incident Response team for rapid investigation and remediation support.

Outbreak Alert

An actively targeted vulnerability has been identified in SmarterTools SmarterMail, tracked as CVE-2025-52691, with a CVSS score of 10.0 (Critical). The flaw allows unauthenticated attackers to upload arbitrary files to any location on the mail server, potentially resulting in remote code execution (RCE).

View the full Outbreak Alert Report

This report provides an overview of ongoing Iran-linked cyber operations, highlighting activity attributed to state-aligned proxies and hacktivist groups. The vulnerabilities listed are suspected to be exploited by actors associated with Iran in real-world campaigns, consistent with observed tactics, techniques, and procedures (TTPs). Iran-linked operations continue to rely on distributed, lower-complexity techniques, including phishing, DDoS, data exfiltration, and destructive attacks. Initial access is primarily achieved through exploitation of known, unpatched vulnerabilities and exposed edge infrastructure, reflecting a persistent and opportunistic threat posture targeting government, critical infrastructure, and enterprise environments.

View the full Outbreak Alert Report