CVE-2026-25067
Unknown Unknown - Not Provided

Path Coercion in SmarterMail Preview Enables NTLM Relay Attacks

Vulnerability report for CVE-2026-25067, including description, CVSS score, EPSS score, affected products, exploitability, helpful resources, and attack-flow context.

Publication date: 2026-01-29

Last updated on: 2026-03-09

Assigner: VulnCheck

Description

SmarterTools SmarterMail versions prior to build 9518 contain an unauthenticated path coercion vulnerability in the background-of-the-day preview endpoint. The application base64-decodes attacker-supplied input and uses it as a filesystem path without validation. On Windows systems, this allows UNC paths to be resolved, causing the SmarterMail service to initiate outbound SMB authentication attempts to attacker-controlled hosts. This can be abused for credential coercion, NTLM relay attacks, and unauthorized network authentication.

CVSS Scores

EPSS Scores

Probability:
Percentile:

Meta Information

Published
2026-01-29
Last Modified
2026-03-09
Generated
2026-07-06
AI Q&A
2026-01-29
EPSS Evaluated
2026-07-05
NVD
EUVD

Affected Vendors & Products

Showing 1 associated CPE
Vendor Product Version / Range
smartertools smartermail to 100.0.9518 (exc)

Helpful Resources

Exploitability

CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-706 The product uses a name or reference to access a resource, but the name/reference resolves to a resource that is outside of the intended control sphere.

Attack-Flow Graph

AI Quick Actions

Instant insights powered by AI
Detection Guidance

You can detect this vulnerability by monitoring for outbound SMB authentication attempts from the SmarterMail service to unusual or attacker-controlled hosts. On Windows systems, use network monitoring tools or commands like 'netstat -an' to identify outbound SMB connections (typically on port 445). Additionally, inspect SmarterMail logs for any base64-decoded path inputs or unusual access patterns to the background-of-the-day preview endpoint.

Executive Summary

This vulnerability exists in SmarterTools SmarterMail versions prior to build 9518 and involves an unauthenticated path coercion in the background-of-the-day preview endpoint. The application base64-decodes attacker-supplied input and uses it as a filesystem path without validation. On Windows systems, this allows UNC paths to be resolved, causing the SmarterMail service to initiate outbound SMB authentication attempts to attacker-controlled hosts.

Impact Analysis

The vulnerability can be abused for credential coercion, NTLM relay attacks, and unauthorized network authentication, potentially allowing attackers to gain unauthorized access or relay credentials within the network.

Mitigation Strategies

Immediate mitigation steps include updating SmarterMail to a version at or above build 9518 where the vulnerability is fixed. If an update is not immediately possible, restrict outbound SMB traffic from the SmarterMail server to prevent it from initiating SMB authentication attempts to attacker-controlled hosts. Additionally, monitor and block suspicious base64-encoded inputs to the background-of-the-day preview endpoint.

Chat Assistant

Ask questions about this CVE
Hi! I’m here to help you understand CVE-2026-25067. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70

EPSS Chart