Two critical vulnerabilities in SmarterTools’ SmarterMail email server are still being actively exploited in the wild, allowing attackers to take over servers with no authentication. Successful exploitation can lead to administrator account takeover, full system compromise, and remote command execution.
These flaws affect all SmarterMail versions prior to Build 9511 and represent a complete breakdown of security controls around administrative functions.
What Are the Vulnerabilities?
1. CVE-2026-23760 – Unauthenticated Admin Password Reset
This vulnerability exists in the password reset API endpoint:
/api/v1/auth/force-reset-password
What’s wrong:
- Accepts requests without authentication
- Requires no reset token or current password
- Allows attackers to specify any admin username and set a new password
Impact:
An attacker can instantly take over a SmarterMail administrator account — no credentials required.
2. CVE-2026-24423 – Direct Unauthenticated Remote Code Execution (RCE)
This flaw affects the ConnectToHub API method and is classified as CWE-306 (Missing Authentication for Critical Function).
How the attack works:
- An attacker sends an unauthenticated request to the ConnectToHub endpoint
- The SmarterMail server is instructed to connect to an attacker-controlled HTTP server
- A malicious payload containing OS commands is returned
- SmarterMail executes the payload with SYSTEM/root-level privileges
Impact:
Immediate, full system compromise — no login or account takeover required.
Active Exploitation Confirmed
Security researchers have observed widespread, real-world attacks:
- Rapid weaponization: Exploits appeared within 48 hours of the patch release
- Mass scanning: Automated scans targeting 6,000+ exposed SmarterMail servers
- CISA action: Both CVEs added to the Known Exploited Vulnerabilities (KEV) catalog
- U.S. federal agencies must remediate by February 16, 2026
Why This Is Especially Dangerous
For SmarterMail users, these vulnerabilities create a worst-case scenario:
- Zero-interaction takeover — no credentials needed
- Full data exposure — complete access to mailboxes, PII, and confidential communications
- Persistence & lateral movement — attackers installing backdoors and pivoting deeper into networks
An attacker can either reset your admin password or execute system commands directly.
Urgent Actions Required
1. Patch Immediately
- Upgrade to Build 9511 or later
- Build 9518 is currently recommended, as it also fixes an NTLM relay issue (CVE-2026-25067)
2. Assume Credential Compromise
After patching:
- Reset all system administrator passwords
- Invalidate all sessions and API tokens
3. Hunt for Indicators of Compromise
Review logs for:
- Calls to
/api/v1/auth/force-reset-password - External requests to the ConnectToHub endpoint
- Unexpected outbound HTTP connections
- New system events or unexplained “Volume Mounts” in the admin UI
Bottom Line
CVE-2026-23760 and CVE-2026-24423 are among the most severe vulnerabilities seen in 2026. Their ease of exploitation and lack of authentication make them especially dangerous for any organization running SmarterMail.
If you operate SmarterMail and have not yet patched, your server should be considered at high risk of compromise.
