Successful exploitation of the vulnerability could allow an unauthenticated attacker to upload arbitrary files to any location on the mail server, potentially enabling remote code execution.
The vulnerability (CWE-434 — unrestricted upload of file with dangerous type) allows an unauthenticated attacker to upload a file of any type to a selected location on the server. The lack of user identity verification and lack of control over the type and destination of the uploaded file means that an attacker can place, for example, a webshell or other malicious executable code directly on the server. Then the attacker can call the uploaded file remotely, gaining full control of the mail server environment.
An attacker can obtain the ability to remotely execute arbitrary code (RCE) on the mail server without any authentication, which means complete takeover of the system, access to stored email messages, and potential ability to perform lateral movement within the internal network.
Apply patches available from the vendor (SmarterTools) immediately according to the references. Due to active exploitation of the vulnerability in production environments (CISA KEV), the update should be performed immediately. Until the patch is deployed, it is recommended to restrict network access to SmarterMail interfaces and increase monitoring of server logs for suspicious file upload operations.
SmarterMail product by SmarterTools — versions indicated in the vendor references and in the watchTowr Labs analysis (GitHub reference).
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:HSmartertools Smartermail
APPSmartertools< 100.0.9413
CISA KEV — detailsi
- Vendori
- SmarterTools ↗
- Producti
- SmarterMail
- Added to KEVi
- January 26, 2026
- Remediation deadline (US Federal)i
- February 16, 2026(overdue)
- Ransomwarei
- Active ransomware campaigns exploit this vulnerability
Apply mitigations per vendor instructions, follow applicable BOD 22-01 guidance for cloud services, or discontinue use of the product if mitigations are unavailable.
SmarterTools SmarterMail contains an unrestricted upload of file with dangerous type vulnerability that could allow an unauthenticated attacker to upload arbitrary files to any location on the mail server, potentially enabling remote code execution.
Related vulnerabilities
SmarterMail – nieuwierzytelnione RCE przez ConnectToHub API
Pominięcie uwierzytelnienia w API resetowania hasła SmarterMail
SmarterTools SmarterMail 16.x through 100.x before 100.0.7803 allows remote code execution.
SmarterTools SmarterMail 16.x before build 6985 allows deserialization of untrusted data. An unauthenticated a...
SmarterTools SmarterMail builds prior to 9560 contain a local file inclusion vulnerability in the /api/v1/repo...