CVE-2026-25067
📋 TL;DR
SmarterMail versions before build 9518 have an unauthenticated path coercion vulnerability that allows attackers to force the service to authenticate to malicious SMB servers via UNC paths. This affects all Windows systems running vulnerable SmarterMail versions, potentially exposing domain credentials to attackers.
💻 Affected Systems
- SmarterTools SmarterMail
⚠️ Manual Verification Required
This CVE does not have specific version information in our database, so automatic vulnerability detection cannot determine if your system is affected.
Why? The CVE database entry doesn't specify which versions are vulnerable (no version ranges provided by the vendor/NVD).
🔒 Custom verification scripts are available for registered users. Sign up free to download automated test scripts.
- Review the CVE details at NVD
- Check vendor security advisories for your specific version
- Test if the vulnerability is exploitable in your environment
- Consider updating to the latest version as a precaution
⚠️ Risk & Real-World Impact
Worst Case
Attackers capture domain administrator credentials via NTLM relay, leading to full domain compromise and lateral movement across the network.
Likely Case
Attackers capture service account or user credentials, enabling unauthorized access to email systems and potentially other network resources.
If Mitigated
With proper network segmentation and SMB restrictions, impact is limited to service disruption or failed authentication attempts.
🎯 Exploit Status
Exploitation requires setting up a malicious SMB server but is straightforward once configured. No authentication needed to trigger the vulnerability.
🛠️ Fix & Mitigation
✅ Official Fix
Patch Version: Build 9518 or later
Vendor Advisory: https://www.smartertools.com/smartermail/release-notes/current
Restart Required: Yes
Instructions:
1. Download SmarterMail build 9518 or later from SmarterTools website. 2. Backup current installation. 3. Run installer to upgrade. 4. Restart SmarterMail service.
🔧 Temporary Workarounds
Block Outbound SMB from SmarterMail Server
windowsPrevent SmarterMail from making outbound SMB connections to block credential capture
New-NetFirewallRule -DisplayName "Block SmarterMail SMB Outbound" -Direction Outbound -Protocol TCP -RemotePort 445 -Action Block -Program "C:\Program Files\SmarterTools\SmarterMail\Service\SmarterMail.Service.exe"
Restrict SMB to Trusted Hosts
windowsOnly allow SMB connections to authorized internal servers
New-NetFirewallRule -DisplayName "Allow SMB Only to Trusted" -Direction Outbound -Protocol TCP -RemotePort 445 -RemoteAddress 192.168.1.0/24 -Action Allow
New-NetFirewallRule -DisplayName "Block All Other SMB" -Direction Outbound -Protocol TCP -RemotePort 445 -Action Block
🧯 If You Can't Patch
- Segment SmarterMail server to prevent outbound SMB to untrusted networks
- Monitor for outbound SMB authentication attempts from SmarterMail server
🔍 How to Verify
Check if Vulnerable:
Check SmarterMail version in admin interface. If version is below build 9518, system is vulnerable.Check Version:
Check SmarterMail admin dashboard or examine installation directory version filesVerify Fix Applied:
Confirm version is build 9518 or higher in admin interface and test that UNC path requests no longer trigger SMB authentication.📡 Detection & Monitoring
Log Indicators:
- Failed SMB authentication attempts from SmarterMail service account
- UNC path requests in web server logs to /background-of-the-day endpoint
Network Indicators:
- Outbound SMB connections from SmarterMail server to unusual external IPs
- NTLM authentication traffic from SmarterMail server
SIEM Query:
source="SmarterMail" AND (url="*background-of-the-day*" OR event="SMB*" OR destination_port=445)