The server deserializes the data, inadvertently executing the attacker's code and granting them a remote shell or the ability to deploy malware. Remediation and Defense This issue was addressed in Build 6985
Log into SmarterMail as System Admin → Settings → About SmarterMail . If your build number is lower than 16.3.7005 , proceed immediately.
The U.S. Cybersecurity and Infrastructure Security Agency (CISA) has added multiple SmarterMail vulnerabilities (including CVE-2025-52691, CVE-2026-23760, and CVE-2019-7214) to its Known Exploited Vulnerabilities (KEV) catalog, underscoring that these are not theoretical flaws but are actively being weaponized by real-world threat actors. This has made SmarterMail servers a primary target for various cybercriminal groups, including ransomware gangs like "Warlock," who have been observed leveraging these exploits in their attacks. Furthermore, the ease of access to these exploits is a major problem: cybercriminals share detailed attack tools and guidance on public platforms like Telegram, making it simple for even low-skilled attackers to compromise vulnerable servers.
The exploit targets SmarterMail's use of . The software exposes three specific endpoints on TCP port 17001 : /Servers /Mail /Spool
This public link is valid for 7 days and shares a thread, including any personal information you added. This link or copies made by others cannot be deleted. If you share with third parties, their policies apply. Can’t copy the link right now. Try again later. smartermail_rce.md - GitHub smartermail 6919 exploit
. This security flaw allows unauthenticated attackers to achieve Remote Code Execution (RCE)
or later. In newer versions, port 17001 is no longer publicly accessible. Workaround
The SmarterMail application receives this request and, trusting the authenticated admin session, executes the string in the commandMount field as a system command on the underlying operating system.
SmarterMail versions prior to Build 6985 exposed three .NET remoting endpoints on port 17001: /Servers , /Mail , and /Spool . Furthermore, the ease of access to these exploits
Hunt and detection ideas
This is not a theoretical risk. It is an active, ongoing threat that has been widely documented.
The most prominent of these newer vulnerabilities include:
Administrators should upgrade to at least Build 7040 or the latest current release. : If you cannot update immediately
: If you cannot update immediately, block external access to port 17001 at the network perimeter.
These endpoints were designed for internal communication but were frequently exposed to the public internet. The vulnerability occurred because these endpoints performed . An attacker could send a specially crafted serialized .NET object through a TCP socket to one of these endpoints, which the server would then "unpack" and execute. Impact of the Exploit
vector if a low-privileged user already has access to the server. Context within Modern Threats