SmarterTools has released urgent security updates for its SmarterMail email server software, fixing multiple serious vulnerabilities, including a critical unauthenticated remote code execution (RCE) flaw that could allow attackers to take full control of affected servers. The most severe issue, tracked as CVE-2026-24423, carries a CVSS score of 9.3, highlighting its high risk and potential impact.
SmarterMail is widely used by organizations as an on-premises email and collaboration platform. Because email servers often have direct internet exposure and access to sensitive data, vulnerabilities in such systems are highly attractive to cybercriminals. The newly disclosed flaws further reinforce the importance of timely patching and proactive security management.
According to the official CVE description, SmarterMail versions prior to Build 9511 contain an unauthenticated remote code execution vulnerability in the ConnectToHub API method.
This flaw allows an attacker to interact with the SmarterMail server without any authentication. By pointing the vulnerable server to a malicious HTTP server, an attacker can deliver a harmful operating system command. The SmarterMail application then executes this command directly on the server.
In simple terms, this means:
No login is required
The attacker can remotely run system commands
Full server compromise is possible
Such a vulnerability could enable attackers to:
Install malware or backdoors
Steal or manipulate email data
Move laterally inside the network
Use the server for further attacks, such as spam campaigns or ransomware distribution
Given the severity and ease of exploitation, this vulnerability represents a critical risk for organizations running unpatched SmarterMail servers.
The vulnerability was responsibly disclosed by several well-known security researchers and teams, including:
Sina Kheirkhah and Piotr Bazydlo from watchTowr
Markus Wulftange of CODE WHITE GmbH
Cale Black from VulnCheck
Their coordinated disclosure helped SmarterTools identify and fix the issue before even wider exploitation occurred.
SmarterTools addressed CVE-2026-24423 in SmarterMail Build 9511, which was released on January 15, 2026. This update closes the vulnerable API behavior and prevents attackers from executing arbitrary commands via the ConnectToHub method.
However, this is not the only serious issue fixed in the same release.
Alongside CVE-2026-24423, SmarterTools also patched another critical vulnerability, tracked as CVE-2026-23760, which also carries a CVSS score of 9.3.
More concerning is the fact that CVE-2026-23760 has already been observed under active exploitation in the wild. This significantly raises the urgency for administrators, as attackers are actively targeting unpatched SmarterMail systems.
When vulnerabilities move from disclosure to real-world exploitation, the window for safe patching becomes extremely small.
In addition to the critical RCE flaws, SmarterTools also fixed a medium-severity security issue, tracked as CVE-2026-25067, with a CVSS score of 6.9.
This vulnerability involves unauthenticated path coercion affecting the background-of-the-day preview endpoint in SmarterMail.
According to VulnCheck, the issue occurs because:
The application base64-decodes attacker-controlled input
The decoded input is used as a filesystem path without proper validation
On Windows systems, this behavior allows attackers to supply UNC (Universal Naming Convention) paths. As a result, the SmarterMail service may attempt to authenticate to an attacker-controlled SMB server.
This can lead to:
Credential coercion
NTLM relay attacks
Unauthorized network authentication
While this flaw is rated lower than the RCE vulnerabilities, it can still be dangerous, especially in corporate Windows environments where NTLM authentication is widely used.
The NTLM relay vulnerability CVE-2026-25067 has been fixed in SmarterMail Build 9518, released on January 22, 2026. Administrators are strongly advised to upgrade to this version or later to fully protect their systems.
With multiple SmarterMail vulnerabilities disclosed within a short time frame, and at least two of them already seeing active exploitation, delaying updates can expose organizations to serious cyber risks.
Unpatched email servers are prime targets for:
Ransomware operators
Credential-stealing campaigns
Espionage and data theft
Botnet recruitment
Because SmarterMail often runs with elevated privileges and handles sensitive communications, a successful attack could have far-reaching business and compliance consequences.
To reduce risk and protect your environment, SmarterTools users should take the following steps immediately:
Upgrade SmarterMail to the latest available build (Build 9518 or newer)
Restrict external access to management and API endpoints where possible
Monitor server logs for suspicious outbound connections or command execution
Review NTLM usage and consider hardening or disabling it if not required
Apply network segmentation to limit potential lateral movement
The discovery of CVE-2026-24423, along with other critical and medium-severity flaws, highlights ongoing security challenges in widely used email server software. SmarterTools has acted quickly to release patches, but the responsibility now lies with administrators to deploy them without delay.
Organizations running SmarterMail should treat these updates as urgent. In today’s threat landscape, even a short delay in patching can be enough for attackers to gain a foothold and cause serious damage.
Interesting Article : Microsoft Office Zero-Day CVE-2026-21509 Actively Exploited
Pingback: Notepad++ Supply Chain Attack Redirected Updates to Malware