CVE-2026-25067 is a vulnerability classified under CWE-706 (Use of Incorrectly-Resolved Name or Reference) affecting SmarterTools SmarterMail versions prior to build 9518. The vulnerability exists in the background-of-the-day preview endpoint, which accepts base64-encoded input from unauthenticated users. This input is decoded and directly used as a filesystem path without validation or sanitization. On Windows systems, this flaw enables the resolution of UNC (Universal Naming Convention) paths, which are network paths typically used to access shared resources. When a UNC path is resolved, the SmarterMail service attempts to authenticate to the specified network location using SMB (Server Message Block) protocol. An attacker can exploit this by supplying a crafted base64-encoded UNC path pointing to an attacker-controlled SMB server. This forces the SmarterMail server to initiate outbound SMB authentication attempts, leaking NTLM hashes or other credentials. These leaked credentials can then be used in credential coercion attacks or NTLM relay attacks, potentially allowing attackers to gain unauthorized access to internal network resources or escalate privileges. The vulnerability requires no authentication or user interaction, increasing its risk. Although no public exploits are currently known, the vulnerability’s nature makes it a significant risk for organizations relying on SmarterMail on Windows platforms. The CVSS 4.0 vector indicates network attack vector, low attack complexity, no privileges or user interaction required, and limited confidentiality impact but no integrity or availability impact, resulting in a medium severity rating.

For European organizations, this vulnerability poses a risk of credential theft and unauthorized network authentication, which can lead to lateral movement within corporate networks and potential data breaches. Organizations using SmarterMail on Windows servers may have their NTLM credentials exposed to attackers controlling malicious SMB servers, facilitating further attacks such as NTLM relay or man-in-the-middle attacks. This could compromise sensitive email communications and internal network resources. Given the unauthenticated nature of the exploit, attackers can attempt exploitation remotely without prior access, increasing the threat surface. Industries with high reliance on email infrastructure, such as finance, healthcare, and government sectors, are particularly at risk. Additionally, organizations with hybrid or remote work environments that expose SmarterMail services to the internet are more vulnerable. The impact is compounded by the difficulty in detecting such outbound SMB authentication attempts if proper network monitoring is not in place.

1. Upgrade SmarterMail to build 9518 or later where the vulnerability is patched. 2. If immediate patching is not possible, restrict outbound SMB traffic (ports 445 and 139) from SmarterMail servers at the network perimeter or firewall to prevent unauthorized SMB authentication attempts. 3. Implement network monitoring and alerting for unusual outbound SMB connections originating from SmarterMail servers to detect potential exploitation attempts. 4. Employ SMB signing and enforce NTLMv2 authentication to reduce the risk of credential relay attacks. 5. Use application-layer filtering or web application firewalls (WAFs) to validate and sanitize inputs to the background-of-the-day preview endpoint, blocking suspicious base64-encoded paths. 6. Conduct regular credential audits and consider implementing multi-factor authentication (MFA) for critical systems to mitigate the impact of credential theft. 7. Educate security teams to recognize signs of NTLM relay and credential coercion attacks and respond promptly.