New SmarterMail Vulnerability Detections

Cloudflare has released WAF rules to protect against two critical vulnerabilities in SmarterTools SmarterMail:

CVE-2025-52691 (Arbitrary File Upload): This vulnerability allows unauthenticated attackers to upload files to any location on the mail server, potentially leading to remote code execution. The new rule blocks attempts to exploit this flaw.

CVE-2026-23760 (Authentication Bypass): Affects SmarterMail versions prior to build 9511 and permits unauthenticated users to reset system administrator account passwords without verification of existing passwords or reset tokens. This could grant attackers full administrative access to mail infrastructure.

Rule Changes

Two new Cloudflare Managed Ruleset rules are now active:

• Rule ID: ...966ec6b1 – SmarterMail Arbitrary File Upload (CVE-2025-52691)
• Rule ID: ...ee964a8c – SmarterMail Authentication Bypass (CVE-2026-23760)

Both rules default to Block action, providing automatic protection for enabled WAF policies. Additionally, the Command Injection (Nslookup) detection has been improved and merged into the primary rule for enhanced coverage.

Action Items

Organizations running SmarterMail should:

• Apply vendor patches immediately to address the underlying vulnerabilities
• Verify WAF rules are enabled in your Cloudflare security policies to benefit from automatic blocking
• Review WAF logs to identify any previous exploitation attempts against these CVEs