CVE-2026-25067 is a vulnerability classified under CWE-706 (Use of Incorrectly-Resolved Name or Reference) affecting SmarterTools SmarterMail versions prior to build 9518. The flaw exists in the background-of-the-day preview endpoint, where the application accepts base64-encoded input from an unauthenticated attacker and decodes it to use as a filesystem path without adequate validation. On Windows platforms, this allows the input to specify UNC (Universal Naming Convention) paths, which triggers the SmarterMail service to initiate outbound SMB (Server Message Block) authentication attempts to attacker-controlled servers. This behavior can be exploited to coerce credentials from the SmarterMail service, enabling NTLM relay attacks or unauthorized network authentication attempts. The vulnerability requires no authentication or user interaction, making it remotely exploitable over the network. The CVSS 4.0 base score is 6.9 (medium severity), reflecting the network attack vector, low complexity, and no privileges or user interaction required. While no public exploits are known, the vulnerability poses a risk of credential theft and lateral movement within enterprise networks, especially those relying on Windows SMB authentication. The lack of patch links suggests that a fix may not yet be publicly available, emphasizing the need for mitigation strategies.

For European organizations, this vulnerability could lead to unauthorized disclosure of credentials and unauthorized network authentication attempts, potentially enabling attackers to move laterally within corporate networks. Organizations using SmarterMail on Windows servers are at risk of having their service accounts' NTLM credentials coerced and relayed, which could compromise internal resources and sensitive data. This is particularly concerning for sectors with high-value targets such as finance, government, and critical infrastructure, where lateral movement can lead to significant operational disruption or data breaches. The unauthenticated nature of the exploit increases the risk of widespread scanning and exploitation attempts. Additionally, the outbound SMB authentication attempts could be used to bypass network segmentation or firewall rules if not properly configured. The medium severity rating indicates a moderate but actionable risk that should be addressed promptly to prevent escalation.

1. Upgrade SmarterMail to build 9518 or later once the vendor releases a patch addressing this vulnerability. 2. In the interim, restrict outbound SMB (TCP port 445) traffic from SmarterMail servers to untrusted networks to prevent credential coercion to attacker-controlled hosts. 3. Implement network segmentation and firewall rules to limit SMB traffic to only trusted internal hosts. 4. Monitor network logs for unusual outbound SMB authentication attempts originating from SmarterMail servers. 5. Use SMB signing and enforce NTLMv2 to reduce the risk of relay attacks. 6. Consider disabling the background-of-the-day preview feature if it is not essential to reduce the attack surface. 7. Employ endpoint detection and response (EDR) solutions to detect anomalous authentication behaviors. 8. Educate security teams about this vulnerability to ensure rapid response to suspicious activity. These steps go beyond generic advice by focusing on network-level controls and feature-specific mitigations tailored to the vulnerability's exploitation vector.