SmarterTools Patches Critical SmarterMail Flaw Allowing Code Execution

SmarterMail, a widely deployed email and collaboration platform, has become a focal point for attackers after researchers uncovered two high‑severity vulnerabilities. The first, CVE‑2026‑24423, exploits the ConnectToHub API, allowing a malicious HTTP server to deliver OS commands that the application runs without validation. The second, CVE‑2026‑23760, targets the password‑reset flow, where an unauthenticated request can overwrite the administrator’s credentials, effectively handing over full control of the mail server. Both bugs carry a CVSS rating of 9.3, underscoring the potential for rapid, uncontrolled compromise.

The technical community quickly validated the risks. WatchTowr and VulnCheck released proof‑of‑concept exploits that demonstrated how a remote actor could hijack an account with just the admin username, while the ConnectToHub flaw required only a crafted URL pointing to a malicious server. Shadowserver’s scanning identified more than 6,000 instances running vulnerable versions, and telemetry confirmed active exploitation attempts. Such exposure is especially concerning for enterprises that rely on SmarterMail for internal communications, as a breached mail server can serve as a pivot point for broader network infiltration and data exfiltration.

In response, SmarterTools issued an emergency patch in build 9511 on January 15, 2026, and the U.S. Cybersecurity and Infrastructure Security Agency (CISA) listed CVE‑2026‑23760 in its Known Exploited Vulnerabilities catalog, imposing a February 16 deadline for federal agencies. Organizations should prioritize updating to the patched build, verify that no unauthorized admin accounts exist, and conduct thorough post‑patch scanning. Continuous monitoring, timely patch management, and adherence to CISA guidelines will be essential to mitigate the lingering risk from these critical flaws.