6919 Exploit - Smartermail

[Attacker Node] ---> (TCP Packet to Port 17001) ---> [SmarterMail 6919 Server] | | Sends Malicious Deserializes Data .NET Serialized Object without Validation | | Executes System Commands <----------------------------- Spawns Process as (e.g., Reverse Shell) NT AUTHORITY\SYSTEM 1. Reconnaissance and Enumeration

Configure your network firewall or Windows Advanced Firewall to drop all external incoming traffic to TCP port 17001 .

. In this update, SmarterTools restricted port 17001 so it is no longer accessible remotely by default. Privilege Escalation Risk:

Related search suggestions (Providing a few search terms you can use to gather more references.) smartermail 6919 exploit

A successful exploit against any of these vulnerabilities can lead to:

, a critical flaw in how SmarterMail handles serialized data. National Institute of Standards and Technology (.gov) The Mechanism : The application exposes .NET remoting endpoints (typically on port ) that perform deserialization of untrusted data. The Impact

| Action | Urgency | Description | |--------|---------|-------------| | | Critical | Move from Build 6919 or any build < 6985 to a supported, patched build. The minimum safe build for the original deserialization vulnerability is Build 6985 (August 2019). | | Block port 17001 | High | If upgrading is not immediately possible, block TCP port 17001 at the firewall for all external access. However, this is only a temporary measure—remote exploitation may still be possible via HTTP endpoints. | | Disable .NET remoting endpoints | Medium | If the server cannot be upgraded, restrict the .NET remoting service to localhost only (127.0.0.1) to prevent remote attacks. | | Check for compromise | Critical | Assume Build 6919 systems may already be compromised. Review logs for unexpected process executions, new ASPX files in web directories, and unusual outbound connections. | [Attacker Node] ---> (TCP Packet to Port 17001)

The vulnerable application interprets this request, sees the IsSysAdmin flag, and resets the password for the admin user (or any specified administrator) without requiring the old password for verification.

SmarterMail is a Windows-based email server software developed by SmarTemail, Inc. It provides a range of features, including email hosting, calendaring, and collaboration tools. SmarterMail is widely used by businesses, organizations, and individuals to manage their email infrastructure.

Since the command runs as SYSTEM , the attacker gains complete control of the server, allowing them to create users, install web shells, or steal data. 3. Exploitation Walkthrough (Metasploit) The minimum safe build for the original deserialization

:

Build 6919 was released in late 2022 as a "security-focused" build. Ironically, it contained the seeds of its own destruction.

The vulnerability exposes three .NET remoting endpoints on port 17001: /Servers , /Mail , and /Spool .

In version 16.x and builds prior to 6985, SmarterMail exposes three .NET remoting endpoints on TCP port 17001 By default, these endpoints—specifically —are often exposed to the public at tcp://0.0.0.0:17001/Servers