DEV Community

CVE Reports
CVE Reports

Posted on • Originally published at cvereports.com

CVE-2026-25067: SmarterMail's Not-So-Smart Background Check: Unauthenticated NTLM Theft via CVE-2026-25067

#security #cve #cybersecurity

SmarterMail's Not-So-Smart Background Check: Unauthenticated NTLM Theft via CVE-2026-25067

Vulnerability ID: CVE-2026-25067
CVSS Score: 6.9
Published: 2026-01-29

SmarterTools SmarterMail, a widely deployed business email server, contains a critical design flaw in its 'Background of the Day' preview feature. The application blindly trusts user-supplied, Base64-encoded file paths without sanitization. By supplying a UNC path (e.g., pointing to a rogue SMB server), an unauthenticated attacker can coerce the SmarterMail service—often running with high privileges—to initiate an outbound connection. This automatically transmits the service account's NTLM credentials to the attacker, opening the door for offline cracking or NTLM relay attacks against other infrastructure.

TL;DR

Unauthenticated attackers can force SmarterMail servers to authenticate to an external SMB share by abusing the background preview feature. This leaks NTLMv2 hashes, enabling credential theft or relay attacks. Fixed in Build 9518.

⚠️ Exploit Status: POC

Technical Details

  • CWE ID: CWE-706 (Path Coercion)
  • CVSS v4.0: 6.9 (Medium)
  • Attack Vector: Network (Unauthenticated)
  • Impact: Info Disclosure / Auth Coercion
  • Status: Patched (Jan 22, 2026)
  • Exploitability: Trivial (Standard Tooling)

Affected Systems

  • SmarterMail 100.x < Build 9518
  • Windows Server (running vulnerable SmarterMail)
  • SmarterMail: < Build 9518 (Fixed in: Build 9518)

Exploit Details

  • VulnCheck: Original advisory detailing the path coercion vulnerability.

Mitigation Strategies

  • Input Validation
  • Egress Filtering
  • Protocol Hardening

Remediation Steps:

  1. Upgrade SmarterMail to Build 9518 or later immediately.
  2. Configure the Windows Firewall to block outbound connections on TCP port 445 (SMB) to the internet.
  3. Review IIS logs for requests to 'background-of-the-day-preview' containing suspicious Base64 strings.
  4. Enforce SMB Signing on all internal servers to prevent NTLM relay attacks from being effective.

References

Read the full report for CVE-2026-25067 on our website for more details including interactive diagrams and full exploit analysis.

Top comments (0)