SmarterTools Patches Critical Unauthenticated RCE and Active Exploits in SmarterMail

SmarterTools released security updates for its SmarterMail software to patch multiple vulnerabilities, including two critical that could allow attackers to execute malicious code and completely compromise affected systems. One of the flaws is actively exploited.

• CVE-2026-24423 (CVSS score 9.3), an unauthenticated remote code execution flaw in the ConnectToHub API method. TIt allows attackers to point the SmarterMail server to a malicious HTTP server that serves malicious operating system commands, which are then executed by the vulnerable application without any authentication.
• CVE-2026-23760 (CVSS score 9.3), an actively exploited authentication bypass vulnerability exists in the password reset API, where the force-reset-password endpoint permits anonymous requests and fails to verify the existing password or reset token when resetting system administrator accounts. An unauthenticated attacker can supply a target administrator username and a new password to reset the account, resulting in full administrative compromise of the SmarterMail instance. Since SmarterMail system administrator privileges grant the ability to execute operating system commands via built-in management functionality, this effectively provides administrative access (SYSTEM or root) on the underlying host. Cybersecurity firm watchTowr researchers released a proof-of-concept exploit that requires only the admin username, making exploitation trivially easy for attackers.
• CVE-2026-25067 (CVSS score 6.9) - A path coercion flaw that enables NTLM relay attacks and credential theft. It's caused by the background-of-the-day preview feature. The software decodes base64 strings into file paths without checking them. This allows attackers to use UNC paths to force the server to start outbound SMB authentication attempts to their own machines. This can lead to unauthorized network access.

Shadowserver is reporting that over 6,000 SmarterMail servers are exposed on the internet and likely vulnerable to attacks exploiting CVE-2026-23760. Shadowserver's assessment is based on version checks of publicly accessible servers, and researchers have already observed active exploitation attempts in the wild.

Organizations using SmarterMail should immediately upgrade at least to build 9511 or later to protect against all vulnerabilities, especially the critical actively exploited flaws.

Organizations that cannot immediately upgrade should implement network-level controls to restrict access to their SmarterMail instances and closely monitor for suspicious activity. Upgrading remains the only real solution.