EXECUTIVE SUMMARY:
A critical security vulnerability tracked as CVE-2025-52691 has been identified in a widely deployed enterprise email server, carrying a CVSS score of 10.0, indicating maximum severity. The flaw exists in the handling of file uploads and allows an unauthenticated remote attacker to upload arbitrary files to any location on the server. This weakness can be abused to execute malicious code, resulting in full compromise of the email server without requiring valid credentials. Any exposed system running affected builds is at immediate risk, as exploitation can lead to complete control over email data, server functions, and associated services. The issue affects older installations and represents a high-impact risk due to its low attack complexity and lack of authentication requirements. An updated build has been released to address the flaw and mitigate the risk of server takeover.
RECOMMENDATION:
REFERENCES:
The following reports contain further technical details: