SmarterMail Version Enumeration: Threat Actors Building Target Lists Post-CVE-2025-52691

CVE-2025-52691 (an unauthenticated arbitrary file upload weakness enabling remote code execution on SmarterTools SmarterMail Email Gateways) landed on December 28, 2025, carrying a CVSS score of 10.0. The vulnerability affects SmarterMail Build 9406 and earlier, allowing unauthenticated attackers to upload arbitrary files to any location on the server. No user interaction is required, and the path from file upload to remote code execution is short. Given that attackers adore exposed email infrastructure, they will likely go to town on it, since it looks like there are some out there (via Censys).

While we’re still working on a tag for that particular CVE, our new AI-driven emergent threat detection process noticed the Global Observation Grid caught what appears to be one potential preparation phase before exploitation attempts.

What We’re Seeing

Starting January 12, 2026, the GreyNoise Global Observation Grid observed 5,541 sessions targeting a specific SmarterMail API endpoint: /api/v1/licensing/about. This endpoint returns version information, which is precisely what one would query if one were building an inventory of vulnerable instances before launching exploitation at scale:

❯ curl -sk https://###.###.###.###/api/v1/licensing/about | jq
{
  "version": "100.0.9483",
  "edition": 0,
  "enterpriseFunctionality": true,
  "activeSyncEnabled": false,
  "mapiEwsEnabled": false,
  "isTrialLicense": false
}

When we took a look at the 5.5K sessions, a distinct signature emerged, as they all share a single JA4H HTTP fingerprint:

ge11nn06en00_0e5d97bc8ad6_*

This uniformity, combined with the infrastructure profile, points to a single coordinated campaign rather than multiple independent actors just stumbling onto the same reconnaissance technique.

Infrastructure Profile

The scanning originated from 14 IP addresses, all hosted on DigitalOcean (AS14061). The distribution of sessions across these IPs suggests a deliberate load-balancing approach:

IP Address	Sessions
142.93.190.121	1,460
142.93.185.162	754
142.93.189.2	679
142.93.188.199	590
142.93.190.253	464
142.93.185.181	382
142.93.189.243	340
142.93.188.162	285

The remaining six IPs account for the balance, with session counts ranging from 197 down to 4. (NOTE: three IPs were first observed in GreyNoise starting on January 10th, a continuance of the trend we’ve been observing throughout the latter half of 2026.)

Three JA4T TCP fingerprints appear across the campaign, all consistent with Unix-like operating systems. The primary fingerprint (64240_2-4-8-1-3_1460_7) matches patterns commonly seen from WSL Ubuntu 22.04 environments. A secondary variant (65495_2-4-8-1-3_65495_7) suggests jumbo frame or custom MTU configurations—possibly indicating virtualized or cloud-native tooling.

Behavioral Indicators

As we contniued to poke, the User-Agent strings proudly told their own story. The campaign rotates through fabricated browser identifiers, including references to Linux distributions that don’t exist (“SS”, “ZZ”) alongside legitimate ones (Fedora, CentOS, Debian, Knoppix). Chrome version strings range from 118 to 135, Firefox from 120 to 135. This randomization is typical of automated scanning tools attempting to blend in (though the fabricated distro names undercut that effort).

Port coverage is predictably comprehensive: 80, 443, 8000, 8080, 8443, and 10443, so the campaign is checking wherever SmarterMail might be listening. (Please stop trying to “hide” things on high ports; it never works.)

The target distribution spans 55+ countries, with the United States receiving the most attention (768 sessions), followed by Spain, India, and Indonesia. This isn’t targeted reconnaissance against a specific organization—it’s internet-wide enumeration.

Timeline

The bulk of the activity occurred in a concentrated four-hour window on January 12, 2026:

Time (UTC)	Sessions
15:00	2,071
16:00	2,020
17:00	1,283
18:00	167

Packets continue to flow in as we penned this post.

What This Means

This is reconnaissance, not exploitation. We haven’t observed follow-on activity from these IPs targeting other SmarterMail endpoints or attempting file uploads. The campaign appears focused on answering a single question: which SmarterMail instances are out there, and what versions are they running?

That answer has value, since once the threat actor compile it, any discovered nodes become targets for exploitation (either by the same actor or sold to others). The 15-day gap between CVE publication and scanning activity is consistent with time needed to x-ray the software, develop tooling and provision infrastructure.

Detection and Response

GreyNoise is developing tags for both CVE-2025-52691 exploitation attempts and this reconnaissance pattern. In the meantime, defenders can use the following GNQL query to identify this activity in their GreyNoise data:

View this scanning activity in GreyNoise Visualizer

raw_data.http.path:"/api/v1/licensing/about"

Organizations running SmarterMail should verify they’re on Build 9407 or later. If patching isn’t immediately possible, consider blocking or rate-limiting access to the /api/v1/licensing/about endpoint from untrusted sources.

Indicators of Compromise

JA4H Fingerprint:

ge11nn06en00_0e5d97bc8ad6_*000000000000_000000000000*

JA4T Fingerprints:

64240_2-4-8-1-3_1460_7
65495_2-4-8-1-3_65495_7
33280_2-4-8-1-3_65495_7

Source IPs (AS14061 - DigitalOcean) (so far):

142.93.190.121
142.93.185.162
142.93.189.2
142.93.188.199
142.93.190.253
142.93.185.181
142.93.189.243
142.93.188.162
142.93.185.97
142.93.190.50
142.93.188.235
142.93.185.209
142.93.189.95
142.93.185.35