Rapid7 Vulnerability & Exploit Database

SmarterTools SmarterMail less than build 6985 - .NET Deserialization Remote Code Execution

Back to Search

SmarterTools SmarterMail less than build 6985 - .NET Deserialization Remote Code Execution



This module exploits a vulnerability in the SmarterTools SmarterMail software for version numbers <= 16.x or for build numbers < 6985. The vulnerable versions and builds expose three .NET remoting endpoints on port 17001, namely /Servers, /Mail and /Spool. For example, a typical installation of SmarterMail Build 6970 will have the /Servers endpoint exposed to the public at tcp://, where serialized .NET commands can be sent through a TCP socket connection. The three endpoints perform deserialization of untrusted data (CVE-2019-7214), allowing an attacker to send arbitrary commands to be deserialized and executed. This module exploits this vulnerability to perform .NET deserialization attacks, allowing remote code execution for any unauthenticated user under the context of the SYSTEM account. Successful exploitation results in full administrative control of the target server under the NT AUTHORITY\SYSTEM account. This vulnerability was patched in Build 6985, where the 17001 port is no longer publicly accessible, although it can be accessible locally at Hence, this would still allow for a privilege escalation vector if the server is compromised as a low-privileged user.


  • Soroush Dalili
  • 1F98D
  • Ismail E. Dawoodjee




cmd, x86, x64


Module Options

To display the available options, load the module within the Metasploit console and run the commands 'show options' or 'show advanced':

msf > use exploit/windows/http/smartermail_rce
msf exploit(smartermail_rce) > show targets
msf exploit(smartermail_rce) > set TARGET < target-id >
msf exploit(smartermail_rce) > show options
    ...show and set options...
msf exploit(smartermail_rce) > exploit

Time is precious, so I don’t want to do something manually that I can automate. Leveraging the Metasploit Framework when automating any task keeps us from having to re-create the wheel as we can use the existing libraries and focus our efforts where it matters.

– Jim O’Gorman | President, Offensive Security