Smartertools · Smartermail · CVE-2026-40514
**Name of the Vulnerable Software and Affected Versions**
SmarterTools SmarterMail versions prior to 9610
**Description**
A cryptographic weakness exists in the file and email sharing endpoints. These endpoints utilize DES-CBC encryption with keys and initialization vectors derived from `System.Random` seeded with insufficient entropy, which limits the seed space to roughly 19,000 possible values. An unauthenticated attacker can utilize the attachment download endpoint as an oracle to identify the active seed and derive the necessary encryption keys and initialization vectors. This allows the attacker to forge sharing tokens for arbitrary emails, attachments, or file storage contents without having prior access to the targeted data.
**Recommendations**
Update to build 9610 or later.