CVE-2026-40514

Name of the Vulnerable Software and Affected Versions SmarterTools SmarterMail versions prior to 9610

Description A cryptographic weakness exists in the file and email sharing endpoints. These endpoints utilize DES-CBC encryption with keys and initialization vectors derived from System.Random seeded with insufficient entropy, which limits the seed space to roughly 19,000 possible values. An unauthenticated attacker can utilize the attachment download endpoint as an oracle to identify the active seed and derive the necessary encryption keys and initialization vectors. This allows the attacker to forge sharing tokens for arbitrary emails, attachments, or file storage contents without having prior access to the targeted data.

Recommendations Update to build 9610 or later.