Full Report
CVE-2025-52691 (an unauthenticated arbitrary file upload weakness enabling remote code execution on SmarterTools SmarterMail Email Gateways) landed on December 28, 2025, carrying a CVSS score of 10.0. The vulnerability affects SmarterMail Build 9406 and earlier, allowing unauthenticated attackers to upload arbitrary files to any location on the server. No user interaction is required, and the path from file upload to remote code execution is short. Given that attackers adore exposed email infrastructure, they will likely go to town on it, since it looks like there are some out there (via Censys). While we’re still working on a tag for that particular CVE, our new AI-driven emergent threat detection process noticed the Global Observation Grid caught what appears to be one potential preparation phase before exploitation attempts. What We’re Seeing Starting January 12, 2026, the GreyNoise Global Observation Grid observed 5,541 sessions targeting a specific SmarterMail API endpoint: /api/v1/licensing/about. This endpoint returns version information, which is precisely what one would query if one were building an inventory of vulnerable instances before launching exploitation at scale: ❯ curl -sk https://###.###.###.###/api/v1/licensing/about | jq { "version": "100.0.9483", "edition": 0, "enterpriseFunctionality": true, "activeSyncEnabled": false, "mapiEwsEnabled": false, "isTrialLicense": false } When we took a look at the 5.5K sessions, a distinct signature emerged, as they all share a single JA4H HTTP fingerprint: ge11nn06en00_0e5d97bc8ad6_* This uniformity, combined with the infrastructure profile, points to a single coordinated campaign rather than multiple independent actors just stumbling onto the same reconnaissance technique. Infrastructure Profile The scanning originated from 14 IP addresses, all hosted on DigitalOcean (AS14061). The distribution of sessions across these IPs suggests a deliberate load-balancing approach: IP Address Sessions 142.93.190.121 1,460 142.93.185.162 754 142.93.189.2 679 142.93.188.199 590 142.93.190.253 464 142.93.185.181 382 142.93.189.243 340 142.93.188.162 285 The remaining six IPs account for the balance, with session counts ranging from 197 down to 4. (NOTE: three IPs were first observed in GreyNoise starting on January 10th, a continuance of the trend we’ve been observing throughout the latter half of 2026.) Three JA4T TCP fingerprints appear across the campaign, all consistent with Unix-like operating systems. The primary fingerprint (64240_2-4-8-1-3_1460_7) matches patterns commonly seen from WSL Ubuntu 22.04 environments. A secondary variant (65495_2-4-8-1-3_65495_7) suggests jumbo frame or custom MTU configurations—possibly indicating virtualized or cloud-native tooling. Behavioral Indicators As we contniued to poke, the User-Agent strings proudly told their own story. The campaign rotates through fabricated browser identifiers, including references to Linux distributions that don’t exist (“SS”, “ZZ”) alongside legitimate ones (Fedora, CentOS, Debian, Knoppix). Chrome version strings range from 118 to 135, Firefox from 120 to 135. This randomization is typical of automated scanning tools attempting to blend in (though the fabricated distro names undercut that effort). Port coverage is predictably comprehensive: 80, 443, 8000, 8080, 8443, and 10443, so the campaign is checking wherever SmarterMail might be listening. (Please stop trying to “hide” things on high ports; it never works.) The target distribution spans 55+ countries, with the United States receiving the most attention (768 sessions), followed by Spain, India, and Indonesia. This isn’t targeted reconnaissance against a specific organization—it’s internet-wide enumeration. Timeline The bulk of the activity occurred in a concentrated four-hour window on January 12, 2026: Time (UTC) Sessions 15:00 2,071 16:00 2,020 17:00 1,283 18:00 167 Packets continue to flow in as we penned this post. What This Means This is reconnaissance, not exploitation. We haven’t observed follow-on activity from these IPs targeting other SmarterMail endpoints or attempting file uploads. The campaign appears focused on answering a single question: which SmarterMail instances are out there, and what versions are they running? That answer has value, since once the threat actor compile it, any discovered nodes become targets for exploitation (either by the same actor or sold to others). The 15-day gap between CVE publication and scanning activity is consistent with time needed to x-ray the software, develop tooling and provision infrastructure. Detection and Response GreyNoise is developing tags for both CVE-2025-52691 exploitation attempts and this reconnaissance pattern. In the meantime, defenders can use the following GNQL query to identify this activity in their GreyNoise data: View this scanning activity in GreyNoise Visualizer raw_data.http.path:"/api/v1/licensing/about" Organizations running SmarterMail should verify they’re on Build 9407 or later. If patching isn’t immediately possible, consider blocking or rate-limiting access to the /api/v1/licensing/about endpoint from untrusted sources. Indicators of Compromise JA4H Fingerprint: ge11nn06en00_0e5d97bc8ad6_*000000000000_000000000000* JA4T Fingerprints: 64240_2-4-8-1-3_1460_7 65495_2-4-8-1-3_65495_7 33280_2-4-8-1-3_65495_7 Source IPs (AS14061 - DigitalOcean) (so far): 142.93.190.121 142.93.185.162 142.93.189.2 142.93.188.199 142.93.190.253 142.93.185.181 142.93.189.243 142.93.188.162 142.93.185.97 142.93.190.50 142.93.188.235 142.93.185.209 142.93.189.95 142.93.185.35
Analysis Summary
# Incident Report: Coordinated Reconnaissance Targeting SmarterMail Post-CVE-2025-52691
## Executive Summary
Following the disclosure of critical vulnerability CVE-2025-52691 (RCE via unauthenticated file upload) on December 28, 2025, a coordinated, large-scale reconnaissance campaign was observed beginning January 12, 2026. Threat actors utilized 14 DigitalOcean hosted IP addresses to query the `/api/v1/licensing/about` endpoint across 55+ countries, mapping vulnerable SmarterMail installations. No successful exploitation attempts were observed during this reconnaissance phase.
## Incident Details
- Discovery Date: January 12, 2026 (Detected by GreyNoise Global Observation Grid)
- Incident Date: Scanning activity began January 12, 2026. (CVE publication was Dec 28, 2025)
- Affected Organization: SmarterTools SmarterMail (Users running Build 9406 and earlier)
- Sector: Broad internet-facing infrastructure (Email Gateways)
- Geography: Global, with highest session counts in the US, Spain, India, and Indonesia.
## Timeline of Events
### Initial Access (Reconnaissance Phase)
- **Date/Time:** Starting January 12, 2026, concentrated activity between 15:00 UTC and 18:00 UTC.
- **Vector:** Unauthenticated API polling using a consistent JA4H fingerprint.
- **Details:** 5,541 sessions targeted the vulnerable application's version information endpoint (`/api/v1/licensing/about`) across 14 Cloud IPs, indicating preparation for large-scale exploitation of CVE-2025-52691.
### Lateral Movement
- Not observed. This activity was strictly reconnaissance/discovery focused.
### Data Exfiltration/Impact
- No exploitation or data exfiltration was observed in this phase. The immediate impact was the mapping of vulnerable assets.
### Detection & Response
- **Detection:** Detected by GreyNoise AI-driven emergent threat detection process via the Global Observation Grid.
- **Response Actions:** GreyNoise initiated development of specific detection tags for the reconnaissance pattern and published findings immediately to alert defenders.
## Attack Methodology
- **Initial Access:** Unauthenticated network surveying via direct connection to web service ports (80, 443, 8000, 8080, 8443, 10443).
- **Persistence:** Not applicable (Reconnaissance only).
- **Privilege Escalation:** Not applicable (Pre-exploitation phase).
- **Defense Evasion:** Attempted by rotating fabricated User-Agent strings referencing non-existent Linux distributions ("SS", "ZZ") alongside legitimate ones (Fedora, CentOS).
- **Credential Access:** Not applicable.
- **Discovery:** Targeted querying of the `/api/v1/licensing/about` endpoint to enumerate running SmarterMail versions (Build 9406 and earlier are vulnerable).
- **Lateral Movement:** Not observed.
- **Collection:** Focused on version enumeration via API response gathering.
- **Exfiltration:** Not observed.
- **Impact:** Asset mapping/Inventory compilation for future exploitation efforts.
## Impact Assessment
- **Financial:** Not applicable; no evidence of direct financial loss or system compromise.
- **Data Breach:** No data breach observed, but high potential threat for all unpatched instances.
- **Operational:** No operational disruption reported for scanned entities.
- **Reputational:** Minimal immediate impact, but highlights exposure risk for SmarterMail administrators.
## Indicators of Compromise
**Network Indicators (Defanged Source IPs - DigitalOcean AS14061):**
- 142.93.190.121 (1,460 sessions)
- 142.93.185.162 (754 sessions)
- 142.93.189.2 (679 sessions)
- 142.93.188.199 (590 sessions)
- 142.93.190.253 (464 sessions)
- 142.93.185.181 (382 sessions)
- 142.93.189.243 (340 sessions)
- 142.93.188.162 (285 sessions)
- (Plus 6 additional IPs)
**File Indicators:**
- None observed (This was network reconnaissance only).
**Behavioral Indicators:**
- **Key Endpoint Hit:** `/api/v1/licensing/about`
- **Primary JA4H Fingerprint:** `ge11nn06en00_0e5d97bc8ad6_*`
- **Primary JA4T TCP Fingerprint (WSL Ubuntu 22.04 pattern):** `64240_2-4-8-1-3_1460_7`
- **Secondary JA4T Fingerprint (Custom MTU/Jumbo frames):** `65495_2-4-8-1-3_65495_7`
## Response Actions
- **Containment Measures (Recommended):** Organizations running SmarterMail should immediately investigate traffic to the `/api/v1/licensing/about` endpoint. Blocking or rate-limiting access to this specific API from untrusted external sources is recommended as a temporary measure.
- **Eradication Steps:** N/A (No intrusion observed).
- **Recovery Actions (Preventative):** Organizations must immediately update SmarterMail to Build 9407 or later to remediate CVE-2025-52691.
## Lessons Learned
- Threat actors are actively and rapidly deploying toolkits following major vulnerability disclosures (15-day gap between publication and observed scanning).
- Automated reconnaissance campaigns are highly centralized and use consistent network/behavioral signatures (JA4H/JA4T), allowing for effective broad detection even before exploitation begins.
- Reconnaissance is a vital, observable precursor to large-scale attacks targeting critical infrastructure like email gateways.
## Recommendations
1. **Patch Immediately:** Upgrade all SmarterMail installations to Build 9407 or newer to mitigate the underlying RCE vulnerability (CVE-2025-52691).
2. **Endpoint Restriction:** Implement WAF or firewall rules to restrict access to non-essential API endpoints, such as `/api/v1/licensing/about`, only to trusted internal networks or specific management IPs if possible.
3. **Monitor Network Fingerprints:** Organizations should actively monitor network traffic for the identified JA4H/JA4T fingerprints associated with this campaign to detect any subsequent exploitation attempts.