Do smart people ever say they’re smart? SmarterTools Smarter...

[carlospolop]

🤖 Automated Content Update

This PR was automatically generated by the HackTricks News Bot based on a technical blog post.

📝 Source Information

• Blog URL: https://labs.watchtowr.com/do-smart-people-ever-say-theyre-smart-smartertools-smartermail-pre-auth-rce-cve-2025-52691/
• Blog Title: Do smart people ever say they’re smart? SmarterTools SmarterMail pre-auth RCE (CVE-2025-52691)
• Suggested Section: Pentesting Web -> File Upload (or File Inclusion/Path traversal) -> Unauthenticated arbitrary file write via upload path traversal -> IIS/ASP.NET (.aspx) webshell RCE

🎯 Content Summary

This post reverse-engineers and reproduces CVE-2025-52691, a pre-auth (unauthenticated) remote code execution issue in SmarterTools SmarterMail that can be exploited as an unauthenticated arbitrary file write and then turned into IIS/ASP.NET code execution by writing an .aspx file into a web-accessible directory. The blog notes the vulnerability was fixed in build 9413 (released Oct 10, 2025), while disclosure/advisory occurred in ...

🔧 Technical Details

Pre-auth arbitrary file write by abusing JSON-deserialized fields used in path construction: If an unauthenticated upload endpoint accepts a JSON form field (e.g., contextData) that is deserialized (e.g., via JSON.NET) into an object with a public settable property (e.g., guid), and that property is later embedded into a generated filename (e.g., att_{CleanGuid(guid)}_{n}.{ext}) without strict normalization and traversal checks, an attacker can inject traversal sequences (e.g., ../../..) to escape the intended directory. If the final path is built by naive string formatting/concatenation (directory + "/" + filename) rather than canonicalized join + validation, the upload becomes an unauthenticated arbitrary file write primitive.

Reliable RCE on IIS by combining traversal-based write + attacker-controlled executable extension: If the saved extension is derived from an attacker-controlled filena...

🤖 Agent Actions

Summary:

• Added a new SmarterMail (CVE-2025-52691) subsection to the File Upload page detailing the unauthenticated /api/upload abuse, GUID-based path traversal in filename generation, extension control, response leakage of final path, and ASPX webshell RCE flow with a collapsible PoC request.
• Updated references to include the watchTowr writeup and detection artifact generator repo.

Testing:

• Not run (not applicable).

---

This PR was automatically created by the HackTricks Feed Bot. Please review the changes carefully before merging.

[carlospolop]

🔗 Additional Context

Original Blog Post: https://labs.watchtowr.com/do-smart-people-ever-say-theyre-smart-smartertools-smartermail-pre-auth-rce-cve-2025-52691/

Content Categories: Based on the analysis, this content was categorized under "Pentesting Web -> File Upload (or File Inclusion/Path traversal) -> Unauthenticated arbitrary file write via upload path traversal -> IIS/ASP.NET (.aspx) webshell RCE".

Repository Maintenance:

• MD Files Formatting: 936 files processed

Review Notes:

• This content was automatically processed and may require human review for accuracy
• Check that the placement within the repository structure is appropriate
• Verify that all technical details are correct and up-to-date
• All .md files have been checked for proper formatting (headers, includes, etc.)

Bot Version: HackTricks News Bot v1.0