{"dataType": "CVE_RECORD", "dataVersion": "5.2", "cveMetadata": {"cveId": "CVE-2026-25067", "assignerOrgId": "83251b91-4cc7-4094-a5c7-464a1b83ea10", "state": "PUBLISHED", "assignerShortName": "VulnCheck", "dateReserved": "2026-01-28T21:47:35.119Z", "datePublished": "2026-01-29T03:38:02.582Z", "dateUpdated": "2026-03-05T01:30:42.395Z"}, "containers": {"cna": {"affected": [{"defaultStatus": "unaffected", "product": "SmarterMail", "vendor": "SmarterTools", "versions": [{"lessThan": "100.0.9518", "status": "affected", "version": "0", "versionType": "semver"}]}], "cpeApplicability": [{"nodes": [{"operator": "OR", "negate": false, "cpeMatch": [{"vulnerable": true, "criteria": "cpe:2.3:a:smartertools:smartermail:*:*:*:*:*:*:*:*", "versionEndExcluding": "100.0.9518"}]}]}], "credits": [{"lang": "en", "type": "finder", "value": "Cale Black of VulnCheck"}], "descriptions": [{"lang": "en", "supportingMedia": [{"base64": false, "type": "text/html", "value": "SmarterTools SmarterMail versions prior to build 9518 contain&nbsp;an unauthenticated path coercion vulnerability in the background-of-the-day preview endpoint. The application base64-decodes attacker-supplied input and uses it as a filesystem path without validation. On Windows systems, this allows UNC paths to be resolved, causing the SmarterMail service to initiate outbound SMB authentication attempts to attacker-controlled hosts. This can be abused for credential coercion, NTLM relay attacks, and unauthorized network authentication.<br>"}], "value": "SmarterTools SmarterMail versions prior to build 9518 contain\u00a0an unauthenticated path coercion vulnerability in the background-of-the-day preview endpoint. The application base64-decodes attacker-supplied input and uses it as a filesystem path without validation. On Windows systems, this allows UNC paths to be resolved, causing the SmarterMail service to initiate outbound SMB authentication attempts to attacker-controlled hosts. This can be abused for credential coercion, NTLM relay attacks, and unauthorized network authentication."}], "metrics": [{"cvssV4_0": {"Automatable": "NOT_DEFINED", "Recovery": "NOT_DEFINED", "Safety": "NOT_DEFINED", "attackComplexity": "LOW", "attackRequirements": "NONE", "attackVector": "NETWORK", "baseScore": 6.9, "baseSeverity": "MEDIUM", "exploitMaturity": "NOT_DEFINED", "privilegesRequired": "NONE", "providerUrgency": "NOT_DEFINED", "subAvailabilityImpact": "NONE", "subConfidentialityImpact": "NONE", "subIntegrityImpact": "NONE", "userInteraction": "NONE", "valueDensity": "NOT_DEFINED", "vectorString": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N", "version": "4.0", "vulnAvailabilityImpact": "NONE", "vulnConfidentialityImpact": "LOW", "vulnIntegrityImpact": "NONE", "vulnerabilityResponseEffort": "NOT_DEFINED"}, "format": "CVSS", "scenarios": [{"lang": "en", "value": "GENERAL"}]}], "problemTypes": [{"descriptions": [{"cweId": "CWE-706", "description": "CWE-706 Use of Incorrectly-Resolved Name or Reference", "lang": "en", "type": "CWE"}]}], "providerMetadata": {"orgId": "83251b91-4cc7-4094-a5c7-464a1b83ea10", "shortName": "VulnCheck", "dateUpdated": "2026-03-05T01:30:42.395Z"}, "references": [{"tags": ["release-notes", "patch"], "url": "https://www.smartertools.com/smartermail/release-notes/current"}, {"tags": ["third-party-advisory"], "url": "https://www.vulncheck.com/advisories/smartertools-smartermail-unauthenticated-background-of-the-day-path-coercion"}], "source": {"discovery": "UNKNOWN"}, "title": "SmarterTools SmarterMail < Build 9518 Unauthenticated background-of-the-day Path Coercion", "x_generator": {"engine": "Vulnogram 0.5.0"}}, "adp": [{"metrics": [{"other": {"type": "ssvc", "content": {"timestamp": "2026-01-29T17:51:38.523562Z", "id": "CVE-2026-25067", "options": [{"Exploitation": "none"}, {"Automatable": "yes"}, {"Technical Impact": "partial"}], "role": "CISA Coordinator", "version": "2.0.3"}}}], "title": "CISA ADP Vulnrichment", "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-01-29T17:51:55.414Z"}}]}}

{"dataType": "CVE_RECORD", "containers": {"adp": [{"title": "CISA ADP Vulnrichment", "metrics": [{"other": {"type": "ssvc", "content": {"id": "CVE-2026-25067", "role": "CISA Coordinator", "options": [{"Exploitation": "none"}, {"Automatable": "yes"}, {"Technical Impact": "partial"}], "version": "2.0.3", "timestamp": "2026-01-29T17:51:38.523562Z"}}}], "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-01-29T17:51:44.801Z"}}], "cna": {"title": "SmarterTools SmarterMail < Build 9518 Unauthenticated background-of-the-day Path Coercion", "source": {"discovery": "UNKNOWN"}, "credits": [{"lang": "en", "type": "finder", "value": "Cale Black of VulnCheck"}], "metrics": [{"format": "CVSS", "cvssV4_0": {"Safety": "NOT_DEFINED", "version": "4.0", "Recovery": "NOT_DEFINED", "baseScore": 6.9, "Automatable": "NOT_DEFINED", "attackVector": "NETWORK", "baseSeverity": "MEDIUM", "valueDensity": "NOT_DEFINED", "vectorString": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N", "exploitMaturity": "NOT_DEFINED", "providerUrgency": "NOT_DEFINED", "userInteraction": "NONE", "attackComplexity": "LOW", "attackRequirements": "NONE", "privilegesRequired": "NONE", "subIntegrityImpact": "NONE", "vulnIntegrityImpact": "NONE", "subAvailabilityImpact": "NONE", "vulnAvailabilityImpact": "NONE", "subConfidentialityImpact": "NONE", "vulnConfidentialityImpact": "LOW", "vulnerabilityResponseEffort": "NOT_DEFINED"}, "scenarios": [{"lang": "en", "value": "GENERAL"}]}], "affected": [{"vendor": "SmarterTools", "product": "SmarterMail", "versions": [{"status": "affected", "version": "0", "lessThan": "100.0.9518", "versionType": "semver"}], "defaultStatus": "unaffected"}], "references": [{"url": "https://www.smartertools.com/smartermail/release-notes/current", "tags": ["release-notes", "patch"]}, {"url": "https://www.vulncheck.com/advisories/smartertools-smartermail-unauthenticated-background-of-the-day-path-coercion", "tags": ["third-party-advisory"]}], "x_generator": {"engine": "Vulnogram 0.5.0"}, "descriptions": [{"lang": "en", "value": "SmarterTools SmarterMail versions prior to build 9518 contain\u00a0an unauthenticated path coercion vulnerability in the background-of-the-day preview endpoint. The application base64-decodes attacker-supplied input and uses it as a filesystem path without validation. On Windows systems, this allows UNC paths to be resolved, causing the SmarterMail service to initiate outbound SMB authentication attempts to attacker-controlled hosts. This can be abused for credential coercion, NTLM relay attacks, and unauthorized network authentication.", "supportingMedia": [{"type": "text/html", "value": "SmarterTools SmarterMail versions prior to build 9518 contain&nbsp;an unauthenticated path coercion vulnerability in the background-of-the-day preview endpoint. The application base64-decodes attacker-supplied input and uses it as a filesystem path without validation. On Windows systems, this allows UNC paths to be resolved, causing the SmarterMail service to initiate outbound SMB authentication attempts to attacker-controlled hosts. This can be abused for credential coercion, NTLM relay attacks, and unauthorized network authentication.<br>", "base64": false}]}], "problemTypes": [{"descriptions": [{"lang": "en", "type": "CWE", "cweId": "CWE-706", "description": "CWE-706 Use of Incorrectly-Resolved Name or Reference"}]}], "cpeApplicability": [{"nodes": [{"negate": false, "cpeMatch": [{"criteria": "cpe:2.3:a:smartertools:smartermail:*:*:*:*:*:*:*:*", "vulnerable": true, "versionEndExcluding": "100.0.9518"}], "operator": "OR"}]}], "providerMetadata": {"orgId": "83251b91-4cc7-4094-a5c7-464a1b83ea10", "shortName": "VulnCheck", "dateUpdated": "2026-03-05T01:30:42.395Z"}}}, "cveMetadata": {"cveId": "CVE-2026-25067", "state": "PUBLISHED", "dateUpdated": "2026-03-05T01:30:42.395Z", "dateReserved": "2026-01-28T21:47:35.119Z", "assignerOrgId": "83251b91-4cc7-4094-a5c7-464a1b83ea10", "datePublished": "2026-01-29T03:38:02.582Z", "assignerShortName": "VulnCheck"}, "dataVersion": "5.2"}

{"configurations": [{"nodes": [{"cpeMatch": [{"criteria": "cpe:2.3:a:smartertools:smartermail:*:*:*:*:*:*:*:*", "matchCriteriaId": "706FA98E-A250-42DD-A418-7506F77A6E47", "versionEndExcluding": "100.0.9518", "vulnerable": true}], "negate": false, "operator": "OR"}]}], "cveTags": [], "descriptions": [{"lang": "en", "value": "SmarterTools SmarterMail versions prior to build 9518 contain\u00a0an unauthenticated path coercion vulnerability in the background-of-the-day preview endpoint. The application base64-decodes attacker-supplied input and uses it as a filesystem path without validation. On Windows systems, this allows UNC paths to be resolved, causing the SmarterMail service to initiate outbound SMB authentication attempts to attacker-controlled hosts. This can be abused for credential coercion, NTLM relay attacks, and unauthorized network authentication."}, {"lang": "es", "value": "Las versiones de SmarterTools SmarterMail anteriores a la compilaci\u00f3n 9518 contienen una vulnerabilidad de coerci\u00f3n de ruta no autenticada en el endpoint de vista previa del fondo del d\u00eda. La aplicaci\u00f3n decodifica en base64 la entrada suministrada por el atacante y la utiliza como una ruta del sistema de archivos sin validaci\u00f3n. En sistemas Windows, esto permite que las rutas UNC se resuelvan, haciendo que el servicio SmarterMail inicie intentos de autenticaci\u00f3n SMB salientes a hosts controlados por el atacante. Esto puede ser abusado para la coerci\u00f3n de credenciales, ataques de retransmisi\u00f3n NTLM y autenticaci\u00f3n de red no autorizada."}], "id": "CVE-2026-25067", "lastModified": "2026-03-09T14:29:14.610", "metrics": {"cvssMetricV31": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 5.3, "baseSeverity": "MEDIUM", "confidentialityImpact": "NONE", "integrityImpact": "LOW", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N", "version": "3.1"}, "exploitabilityScore": 3.9, "impactScore": 1.4, "source": "nvd@nist.gov", "type": "Primary"}], "cvssMetricV40": [{"cvssData": {"Automatable": "NOT_DEFINED", "Recovery": "NOT_DEFINED", "Safety": "NOT_DEFINED", "attackComplexity": "LOW", "attackRequirements": "NONE", "attackVector": "NETWORK", "availabilityRequirement": "NOT_DEFINED", "baseScore": 6.9, "baseSeverity": "MEDIUM", "confidentialityRequirement": "NOT_DEFINED", "exploitMaturity": "NOT_DEFINED", "integrityRequirement": "NOT_DEFINED", "modifiedAttackComplexity": "NOT_DEFINED", "modifiedAttackRequirements": "NOT_DEFINED", "modifiedAttackVector": "NOT_DEFINED", "modifiedPrivilegesRequired": "NOT_DEFINED", "modifiedSubAvailabilityImpact": "NOT_DEFINED", "modifiedSubConfidentialityImpact": "NOT_DEFINED", "modifiedSubIntegrityImpact": "NOT_DEFINED", "modifiedUserInteraction": "NOT_DEFINED", "modifiedVulnAvailabilityImpact": "NOT_DEFINED", "modifiedVulnConfidentialityImpact": "NOT_DEFINED", "modifiedVulnIntegrityImpact": "NOT_DEFINED", "privilegesRequired": "NONE", "providerUrgency": "NOT_DEFINED", "subAvailabilityImpact": "NONE", "subConfidentialityImpact": "NONE", "subIntegrityImpact": "NONE", "userInteraction": "NONE", "valueDensity": "NOT_DEFINED", "vectorString": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X", "version": "4.0", "vulnAvailabilityImpact": "NONE", "vulnConfidentialityImpact": "LOW", "vulnIntegrityImpact": "NONE", "vulnerabilityResponseEffort": "NOT_DEFINED"}, "source": "disclosure@vulncheck.com", "type": "Secondary"}]}, "published": "2026-01-29T05:16:13.157", "references": [{"source": "disclosure@vulncheck.com", "tags": ["Release Notes"], "url": "https://www.smartertools.com/smartermail/release-notes/current"}, {"source": "disclosure@vulncheck.com", "tags": ["Third Party Advisory", "VDB Entry"], "url": "https://www.vulncheck.com/advisories/smartertools-smartermail-unauthenticated-background-of-the-day-path-coercion"}], "sourceIdentifier": "disclosure@vulncheck.com", "vulnStatus": "Analyzed", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-706"}], "source": "disclosure@vulncheck.com", "type": "Primary"}]}

{}

{"analysis": {"en": {"generated_at": "2026-04-18T01:32:17.578885+00:00", "value": {"mitigation_remediation": ["Upgrade SmarterMail to build 9518 or later to eliminate the path\u2011coercion flaw.", "Block outbound SMB traffic (TCP port\u00a0445) from the SmarterMail server to prevent inadvertent credential forwarding to external hosts.", "Restrict access to the background\u2011of\u2011the\u2011day preview endpoint so that only authenticated users can access it, or otherwise limit network visibility of the SmarterMail service."], "summary": {"action": "Patch Immediately", "impact": "Credential Coercion and NTLM Relay via Unauthenticated Path Coercion"}, "threat_synthesis": {"affected_systems": "SmarterTools SmarterMail versions with build numbers below 9518 are affected. The issue manifests only when the background\u2011of\u2011the\u2011day preview endpoint is reachable from an unauthenticated network source, and the server is running on a Windows platform where SMB traffic is enabled.", "description_and_impact": "The vulnerability is a path\u2011coercion flaw (CWE\u2011706) that allows SmarterMail versions prior to build 9518 to base64\u2011decode attacker\u2011supplied data and use it directly as a filesystem path without validation. On Windows systems an attacker can supply a UNC path, causing the SmarterMail service to initiate outbound SMB authentication attempts to the specified host. These authentication attempts can be abused for credential coercion, NTLM relay, and unauthorized network authentication, thereby compromising confidentiality and potentially enabling lateral movement within the internal network.", "risk_and_exploitability": "The CVSS score of 6.9 indicates a moderate to high severity, while the EPSS score of less than 1% suggests that active exploitation is currently unlikely. The vulnerability is not listed in the CISA KEV catalog. Exploitation requires only unauthenticated network access to the preview endpoint and the ability to send a crafted request; if this is available the flaw can trigger outbound SMB authentication, allowing an attacker to steal credentials or relay NTLM messages. The overall risk is therefore driven primarily by the exposure of the service to external networks and the presence of internal Windows infrastructure that can be leveraged for relay attacks."}}}}, "created": "2026-01-29T09:08:21.298569+00:00", "updated": "2026-04-18T01:45:33.389277+00:00", "vendors": ["smartertools", "smartertools$PRODUCT$smartermail"]}