alert http any any -> $HOME_NET any (msg:"ET WEB_SPECIFIC_APPS SmarterTools SmarterMail Arbitrary File Upload Attempt (CVE-2025-52691)"; flow:established,to_server; http.method; content:"POST"; http.uri; content:"/api/upload"; http.content_type; content:"multipart/form-data|3b|"; startswith; http.request_body; content:"|7b 22|guid|22 3a 22|dag"; fast_pattern; pcre:"/^[^\x26]*?(?:(?:\x2e|%2[Ee]){1,2}(?:\x2f|\x5c|%5[Cc]|%2[Ff]){1,}){2,}/R"; reference:url,labs.watchtowr.com/do-smart-people-ever-say-theyre-smart-smartertools-smartermail-pre-auth-rce-cve-2025-52691/; reference:url,github.com/projectdiscovery/nuclei-templates/blob/main/http/cves/2025/CVE-2025-52691.yaml; reference:cve,2025-52691; classtype:attempted-admin; sid:2066715; rev:1; metadata:affected_product SmarterTools_SmarterMail, attack_target Server, tls_state TLSDecrypt, created_at 2026_01_13, cve CVE_2025_52691, deployment Perimeter, deployment Internal, performance_impact Low, confidence High, signature_severity Major, tag Exploit, updated_at 2026_01_13;)