Critical Vulnerabilities in IBM API Connect and SmarterMail Exposed

SmarterMail Critical Vulnerability

SmarterTools has released a security update for SmarterMail to address a critical vulnerability. The flaw carries a maximum severity rating, posing a significant risk to organizations. Immediate patching is strongly advised.

• The vulnerability is identified as CVE-2025-52691.
• It was discovered by security researcher Mr Chua Meng Han from the Centre for Strategic Infocomm Technologies (CSIT).
• The vulnerability received a critical CVSS 3.1 score of 10.0, indicating maximum severity.
• An unauthenticated attacker can exploit this vulnerability to upload arbitrary files to any location on a SmarterMail server.
• This can lead to remote code execution, potentially granting attackers complete control over affected mail servers.
• Consequences include unauthorized access to sensitive email, malware installation, credential theft, and lateral movement.

Affected Versions and Mitigation

SmarterMail versions before Build 9406 are vulnerable and should be updated immediately.

• Administrators can check their current version in the SmarterMail administrative console.
• SmarterTools has released Build 9413, which includes the security fix.
• Organizations should prioritize patching internet-facing mail servers.
• SmarterTools collaborated with the Cyber Security Agency (CSA) on coordinated vulnerability disclosure.

Patching Steps

1. Identify all SmarterMail installations.
2. Verify current software versions.
3. Test the Build 9413 update in a non-production environment.
4. Deploy updates across all affected systems.
5. Monitor server logs for suspicious activity.

CISA Vulnerability Summary

The CISA Vulnerability Bulletin (Common Vulnerabilities and Exposures) provides a summary of new vulnerabilities recorded in the past week, organized according to severity based on the Common Vulnerability Scoring System (CVSS) standard.

• High: CVSS base score of 7.0–10.0
• Medium: CVSS base score of 4.0–6.9
• Low: CVSS base score of 0.0–3.9

High Vulnerabilities

Several high-severity vulnerabilities have been identified across various products:

• 9786--phpok3w: SQL injection vulnerability in phpok3w up to 901d96a06809fb28b17f3a4362c59e70411c933c. (CVE-2025-15142, VDB-338520)

• Alteryx--Server: Improper authentication vulnerability in Alteryx Server. Upgrade to version 2023.1.1.13.486, 2023.2.1.10.293, 2024.1.1.9.236, 2024.2.1.6.125 and 2025.1.1.1.31 (CVE-2025-15097, VDB-338428).

• Anviz Biometric Technology Co., Ltd--Anviz AIM CrossChex Standard: CSV injection vulnerability in Anviz AIM CrossChex Standard 4.3.6.0. (CVE-2018-25135, ExploitDB-45765)

• beaverbuilder--Beaver Builder Page Builder Drag and Drop Website Builder: Unauthorized access and modification of data vulnerability in Beaver Builder WordPress plugin up to version 2.9.4.1. (CVE-2025-12934)

• Beward R&D Co., Ltd--N100 H.264 VGA IP Camera: Authenticated file disclosure vulnerability in Beward N100 H.264 VGA IP Camera M2.1.6. (CVE-2019-25246, ExploitDB-46320)

  Image courtesy of Beward

• Beward--N100 H.264 VGA IP Camera: Unauthenticated vulnerability allowing remote attackers to access live video streams in Beward N100 M2.1.6.04C014. (CVE-2019-25248, ExploitDB-46317)

• Centreon--Infra Monitoring - Open-tickets: SQL Injection vulnerability in Centreon Infra Monitoring - Open-tickets (Notification rules configuration parameters, Open tickets modules) allows SQL Injection to user with elevated privileges. (CVE-2025-12514)

• CMSimple--CMSimple: Stored cross-site scripting vulnerability in CMSimple 5.2 Filebrowser External input field. (CVE-2021-47732, ExploitDB-49751)

• Cmsimple--Cmsimple: Authenticated remote code execution vulnerability in CMSimple 5.4 allowing logged-in attackers to inject malicious PHP code into template files. (CVE-2021-47735, ExploitDB-50356)

• Cmsimple-Xh--CMSimple\_XH: Authenticated remote code execution vulnerability in CMSimple\_XH 1.7.4 content editing functionality. (CVE-2021-47736, ExploitDB-50367)

• Cobiansoft--Cobian Backup Gravity: Unquoted service path vulnerability in Cobian Backup Gravity 11.2.0.582. (CVE-2022-50688, ExploitDB-50791)

• code-projects--Online Farm System: SQL injection vulnerability in code-projects Online Farm System 1.0 affecting /addProduct.php. (CVE-2025-15049, VDB-337854)

• code-projects--Refugee Food Management System: SQL injection vulnerability in code-projects Refugee Food Management System 1.0 affecting /home/home.php. (CVE-2025-15012, VDB-337718)

• code-projects--Simple Stock System: SQL injection vulnerability in code-projects Simple Stock System 1.0 affecting /logout.php. (CVE-2025-15011, VDB-337717)

• code-projects--Student Information System: SQL injection vulnerability in code-projects Student Information System 1.0 affecting /searchresults.php. (CVE-2025-15053, VDB-337859)

IBM Security Vulnerabilities

Multiple vulnerabilities have been addressed in IBM API Connect. Additionally, IBM App Connect Enterprise and IBM Integration Bus are vulnerable to remote attackers due to multiple jsonwebtoken CVEs. The resolving fix includes jsonwebtoken version 9.0.0.

• IBM API Connect version 10.0.8.2-ifix1 addresses multiple vulnerabilities.
• IBM App Connect Enterprise and IBM Integration Bus are vulnerable to jsonwebtoken vulnerabilities (CVE-2022-23541, CVE-2022-23539, CVE-2022-23529, CVE-2022-23540).

These vulnerabilities highlight the need for a robust cybersecurity architecture. Gopher Security specializes in AI-powered, post-quantum Zero-Trust cybersecurity. Our platform converges networking and security across devices, apps, and environments—from endpoints and private networks to cloud, remote access, and containers—using peer-to-peer encrypted tunnels and quantum-resistant cryptography.

Explore our services and contact us at Gopher Security to learn more about how we can protect your organization.