CVE-2026-25067 is a vulnerability classified under CWE-706 (Use of Incorrectly-Resolved Name or Reference) affecting SmarterTools SmarterMail versions prior to build 9518. The flaw resides in the background-of-the-day preview endpoint, which accepts attacker-controlled input that is base64-decoded and directly used as a filesystem path without validation. On Windows platforms, this allows the application to resolve UNC (Universal Naming Convention) paths pointing to remote SMB shares controlled by an attacker. When the SmarterMail service attempts to access these UNC paths, it triggers outbound SMB authentication attempts using the service's credentials. This can be abused to coerce credentials, perform NTLM relay attacks, or gain unauthorized network authentication, potentially allowing attackers to impersonate the service or escalate privileges within the network. The vulnerability requires no authentication or user interaction, increasing its risk profile. The CVSS 4.0 vector indicates network attack vector, low attack complexity, no privileges or user interaction required, and limited confidentiality impact. While no public exploits or patches are currently available, the vulnerability poses a significant risk to organizations using affected SmarterMail versions on Windows systems, especially in environments where SMB traffic is not tightly controlled.

The primary impact of this vulnerability is the potential for credential theft and unauthorized network authentication through SMB protocol abuse. Attackers can coerce the SmarterMail service into authenticating to attacker-controlled SMB servers, capturing NTLM hashes or relaying them to other network services, facilitating lateral movement and privilege escalation within corporate networks. This can lead to compromise of sensitive email data, disruption of mail services, and broader network breaches. Organizations relying on SmarterMail for email infrastructure, especially those with Windows-based deployments, face increased risk of internal network compromise. The unauthenticated nature of the vulnerability means attackers can exploit it remotely without prior access, increasing the attack surface. Although the confidentiality impact is limited to credential exposure and potential relay attacks, the integrity and availability of email services could be indirectly affected through subsequent attacks leveraging stolen credentials.

Organizations should immediately audit their SmarterMail deployments to identify versions prior to build 9518 and prioritize upgrading to the latest patched version once available. In the absence of an official patch, administrators can implement network-level controls to restrict outbound SMB traffic from SmarterMail servers, such as firewall rules blocking SMB ports (TCP 445 and 139) to untrusted networks. Additionally, disabling or restricting the background-of-the-day preview feature may reduce exposure. Monitoring network traffic for unusual SMB authentication attempts originating from SmarterMail servers can help detect exploitation attempts. Employing SMB signing and enforcing strong authentication policies can mitigate NTLM relay risks. Network segmentation to isolate mail servers and limiting their access to only necessary resources further reduces potential impact. Regularly reviewing and hardening Windows SMB configurations and applying principle of least privilege to service accounts running SmarterMail are also recommended to limit damage if exploitation occurs.