CVE-2026-25067
Unknown Unknown - Not Provided
Path Coercion in SmarterMail Preview Enables NTLM Relay Attacks

Publication date: 2026-01-29

Last updated on: 2026-03-09

Assigner: VulnCheck

Description
SmarterTools SmarterMail versions prior to build 9518 contain an unauthenticated path coercion vulnerability in the background-of-the-day preview endpoint. The application base64-decodes attacker-supplied input and uses it as a filesystem path without validation. On Windows systems, this allows UNC paths to be resolved, causing the SmarterMail service to initiate outbound SMB authentication attempts to attacker-controlled hosts. This can be abused for credential coercion, NTLM relay attacks, and unauthorized network authentication.
CVSS Scores
EPSS Scores
Probability:
Percentile:
Meta Information
Published
2026-01-29
Last Modified
2026-03-09
Generated
2026-06-16
AI Q&A
2026-01-29
EPSS Evaluated
2026-06-15
NVD
CVE-2026-25067
EUVD
EUVD-2026-4974
Affected Vendors & Products
Showing 1 associated CPE
Vendor Product Version / Range
smartertools smartermail to 100.0.9518 (exc)
Helpful Resources
Exploitability
CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-706 The product uses a name or reference to access a resource, but the name/reference resolves to a resource that is outside of the intended control sphere.
Attack-Flow Graph
AI Quick Actions
Instant insights powered by AI
Detection Guidance

You can detect this vulnerability by monitoring for outbound SMB authentication attempts from the SmarterMail service to unusual or attacker-controlled hosts. On Windows systems, use network monitoring tools or commands like 'netstat -an' to identify outbound SMB connections (typically on port 445). Additionally, inspect SmarterMail logs for any base64-decoded path inputs or unusual access patterns to the background-of-the-day preview endpoint.

Mitigation Strategies

Immediate mitigation steps include updating SmarterMail to a version at or above build 9518 where the vulnerability is fixed. If an update is not immediately possible, restrict outbound SMB traffic from the SmarterMail server to prevent it from initiating SMB authentication attempts to attacker-controlled hosts. Additionally, monitor and block suspicious base64-encoded inputs to the background-of-the-day preview endpoint.

Executive Summary

This vulnerability exists in SmarterTools SmarterMail versions prior to build 9518 and involves an unauthenticated path coercion in the background-of-the-day preview endpoint. The application base64-decodes attacker-supplied input and uses it as a filesystem path without validation. On Windows systems, this allows UNC paths to be resolved, causing the SmarterMail service to initiate outbound SMB authentication attempts to attacker-controlled hosts.

Impact Analysis

The vulnerability can be abused for credential coercion, NTLM relay attacks, and unauthorized network authentication, potentially allowing attackers to gain unauthorized access or relay credentials within the network.

Chat Assistant
Ask questions about this CVE
Hi! I’m here to help you understand CVE-2026-25067. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70
EPSS Chart