Andere informatie en diensten van de overheid: www.belgium.be Centre for Cybersecurity Belgium
search

Warning: two critical, actively-exploited authentication bypass vulnerabilities in SmarterTools SmartMail that can lead to RCE, Patch Immediately!

Image
Decorative image
Gepubliceerd : 27/01/2026

    * Last update:  27/01/2026
   
    * Affected software:: SmarterTools SmarterMail versions prior to build 9511
 
    * Type:
CWE-306: Missing Authentication for Critical Function
CWE-288: Authentication Bypass Using an Alternate Path or Channel

    * CVE/CVSS:
CVE-2026-24423: CVSS 9.3 (CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N)
CVE-2026-23760: CVSS 9.3 (CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N)

Sources

SmarterTools: https://www.smartertools.com/smartermail/release-notes/current
VulnCheck 1: https://www.vulncheck.com/advisories/smartertools-smartermail-unauthenticated-rce-via-connecttohub-api
VulnCheck 2: https://www.vulncheck.com/advisories/smartertools-smartermail-authentication-bypass-via-password-reset-api
 

Risks

SmarterTools SmarterMail is a cross-platform email and collaboration server. Around January 23rd 2026, two critical vulnerabilities affecting SmarterMail were published: CVE-2026-24423, and CVE-2026-23760.

Exploitation does not require any user interaction or privileges and it can be conducted via the network.

The latter one has been actively exploited in the wild as evidence suggests and various proof-of-concepts. It is unclear if the former one has been actively exploited as there is no publicly available proof of concept.

Both vulnerabilities, if exploited, could cause a high impact in all three aspects of the CIA triad (Confidentiality, Integrity, Availability).

Description

CVE-2026-24423: A remote, unauthenticated attacker without privileges can exploit this vulnerability in the ConnectToHub API method to point the SmarterMail instance to a malicious HTTP server.

Using the server, the attacker can force the application to execute malicious OS commands. In that way, the attacker can exfiltrate data, compromise the entire system, move laterally within the network and cause service disruption.

CVE-2026-23760: A remote, unauthenticated attacker without privileges can exploit this vulnerability in the password reset API to fully compromise the SmarterMail instance as an admin.

This can happen because the force-reset-password endpoint permits anonymous requests and fails to verify the existing password or a reset token when resetting system administrator accounts.

That way an attacker can simply reset any admin account’s password and gain their privileges.
Using those privileges, they can execute operating system commands via built-in management functionality and get SYSTEM or root access on the underlying host.

CVE-2026-23760 was added in the CISA KEV (Known Exploited Vulnerabilities) catalog on January 26th 2026.

Recommended Actions

 
Patch  
The Centre for Cybersecurity Belgium strongly recommends installing updates for vulnerable devices with the highest priority, after thorough testing.
 
Monitor/Detect 

The CCB recommends organizations upscale monitoring and detection capabilities to identify any related suspicious activity, ensuring a swift response in case of an intrusion.
 
In case of an intrusion, you can report an incident via: https://ccb.belgium.be/report-incident.

While patching appliances or software to the newest version may provide safety from future exploitation, it does not remediate historic compromise.
 
 

References

NVD 1: https://nvd.nist.gov/vuln/detail/CVE-2026-24423
NVD 2: https://nvd.nist.gov/vuln/detail/CVE-2026-23760