In December 2025, a critical vulnerability was identified in SmarterTools' SmarterMail, classified as CVE-2025-52691. This pre-authentication remote code execution flaw received a perfect 10/10 severity rating. Interestingly, the vulnerability was reportedly patched in build 9413 released on October 10, 2025, almost three months before the public advisory from Singapore's Cyber Security Agency (CSA) appeared. This delay raises questions about whether customers were informed in a timely manner about the risks associated with the vulnerability. The vulnerability centers on an unauthenticated file upload endpoint in the SmarterMail API. The patch added validation for a GUID parameter, which is crucial for controlling the upload process. Without this validation, an attacker could exploit the endpoint to upload malicious files. The code analysis reveals that the contextData parameter, which includes the GUID, plays a significant role in determining the type of file upload operation that gets executed. This means that the added validation could effectively prevent unauthorized actions that could stem from this vulnerability. The article highlights the ongoing tension between security practices and disclosure timelines in the software industry. Despite SmarterTools' assurance of safety through "general security fixes," the delayed communication of this critical vulnerability underscores the need for transparency in vulnerability management. Attackers often adapt quickly to changes, making rapid disclosure essential for user protection. The analysis shows that even minor changes in code can have major security implications, illustrating the importance of thorough validation processes in API development.