Critical SmarterMail Authentication Bypass Under Active Exploitation
Take action: If you are using SmarterMail, this is urgent. Your first priority is patching, because hackers are actively exploiting this flaw. If you can't patch, block access to the password reset API until you patch. This will prevent users from resetting passwords, so this is a very temporary measure.
Learn More
SmarterTools released an emergency fix for SmarterMail to patch a critical security flaw that lets attackers take over the system administrator account without a password. SmarterMail handles email and calendars for many businesses, making it a high-value target for attackers looking to steal corporate data.
The flaw is tracked as CVE-2026-0647 or WT-2026-0001, (CVSS score 9.8) - A critical authentication bypass in the password reset API that allows full account takeover and remote code execution. The force-reset-password API is open to the public so users can reset forgotten passwords. However, the code trusts a user-controlled flag called IsSysAdmin. If an attacker sends a specific request with this flag set to true, the server lets them pick a new password for the admin account.
Once an attacker resets the admin password, they can log in and use the Volume Mounts feature. This tool lets them run any command on the server with SYSTEM-level power, giving them total control over the underlying operating system.
Hackers started actively exploiting this flaw just two days after the company released the patch.
SmarterTools patched the issue in Build 9511 on January 15, 2026. The update adds a mandatory check to verify the current password before any reset happens. Administrators should install this update immediately.
