Do Smart People Ever Say They’re Smart? (SmarterTools SmarterMail Pre-Auth RCE CVE-2025-52691)

A technical deep-dive into CVE-2025-52691, a CVSS 10.0 pre-authentication RCE vulnerability in SmarterTools SmarterMail. The vulnerability stems from an unauthenticated file upload endpoint (/api/upload) that accepts a user-controlled 'guid' parameter without validation, enabling path traversal. By crafting a multipart/form-data POST request with a malicious guid value containing directory traversal sequences and an .aspx webshell payload, an attacker can write arbitrary files outside the intended upload directory and achieve remote code execution. The patch (build 9413) added GUID validation but was silently released ~3 months before public disclosure, raising concerns about responsible disclosure timelines. A detection artifact generator is provided on GitHub.