CVE-2025-52691 IBM QRadar · QRadar

Detect SmarterMail Unrestricted File Upload Exploitation (CVE-2025-52691) in IBM QRadar

Detects exploitation of CVE-2025-52691, an unrestricted file upload vulnerability in SmarterTools SmarterMail. This vulnerability allows attackers to upload files with dangerous types (e.g., web shells, executables) to the mail server, potentially enabling remote code execution. This CVE is listed in CISA's Known Exploited Vulnerabilities catalog.

MITRE ATT&CK

Tactic
Initial Access Execution Persistence

QRadar Detection Query

IBM QRadar (QRadar)
sql 
SELECT DATEFORMAT(starttime, 'YYYY-MM-dd HH:mm:ss') AS EventTime,
       sourceip, destinationip, username, filename, filepath,
       QIDNAME(qid) AS EventName, logsourcename(logsourceid) AS LogSource
FROM events
WHERE LOGSOURCE = 'Windows' AND CATEGORY = 'File System'
  AND (
    (filename IMATCHES '.*\.(aspx|asp|php|jsp|cfm|cgi|pl|exe|dll|bat|cmd|ps1|vbs|hta)$'
     AND (filepath IMATCHES '.*smartermail.*' OR filepath IMATCHES '.*mailroot.*' OR filepath IMATCHES '.*webmail.*'))
    OR
    (EventName IMATCHES '.*process.*create.*'
     AND username IMATCHES '.*smartermail.*'
     AND filename IMATCHES '.*(cmd|powershell|wscript|cscript|mshta|certutil)\.exe$')
  )
  AND LOGSOURCE_LAST(starttime) > NOW() - 7 DAYS
ORDER BY starttime DESC
LAST 7 DAYS
critical severity medium confidence

Identifies file creation events with dangerous extensions in SmarterMail paths and suspicious process executions under SmarterMail context using QRadar AQL, targeting exploitation indicators of CVE-2025-52691.

Data Sources

Windows Security Event LogSysmonQRadar Log Source Extension

Required Tables

events

False Positives & Tuning

  • Authorized SmarterMail administrators uploading legitimate scripts or configuration files
  • IT automation tools creating temporary files in the SmarterMail directory during maintenance
  • Antivirus quarantine operations moving files into directories matching the path pattern

Other platforms for CVE-2025-52691

Microsoft Sentinel (KQL) Splunk (SPL) Elastic Security (Elastic) Sumo Logic CSE (Sumo) Google Chronicle (YARA-L) CrowdStrike LogScale (LogScale) All platforms (combined) →

Testing Methodology

Validate this detection against 4 adversary techniques from Atomic Red Team. Each test below lists the behaviour to exercise and the telemetry you should expect to see. Executable commands and cleanup steps are available with Pro.

  1. Test 1Simulate Web Shell Upload to SmarterMail Directory

    Expected signal: Sysmon Event ID 11 (FileCreate) with TargetFilename containing 'SmarterMail' and ending in '.aspx'; DeviceFileEvents in Defender with ActionType=FileCreated

  2. Test 2Simulate SmarterMail Spawning Suspicious Child Process

    Expected signal: Sysmon Event ID 1 (ProcessCreate) showing cmd.exe with parent process context; DeviceProcessEvents showing cmd.exe creation with CommandLine containing 'whoami'

  3. Test 3Upload Executable File to Simulated Mail Server Web Directory

    Expected signal: Sysmon Event ID 11 (FileCreate) with TargetFilename matching 'C:\Temp\mailroot\webmail\update.exe'; file hash telemetry for the copied executable

  4. Test 4Simulate PowerShell Execution via Web Shell Context

    Expected signal: Sysmon Event ID 1 (ProcessCreate) for powershell.exe with CommandLine containing reconnaissance commands; PowerShell Script Block Logging (Event ID 4104) if enabled

Last updated: 2026-06-19 Research depth: standard
References (3)

Unlock Pro Content

Get the full detection package for CVE-2025-52691 including response playbook, investigation guide, and atomic red team tests.

Response PlaybookInvestigation GuideHunting QueriesAtomic Red Team TestsTuning Guidance
Sign Up for Pro View Pricing

Related Detections

Tactic Hubs

TA0001Initial AccessTA0002ExecutionTA0003Persistence

Related Techniques

T1190Exploit Public-Facing ApplicationT1505.003Web ShellT1059Command and Scripting Interpreter

Same Tactic: Initial Access

Popular Detections