Summary:
SmarterTools has released urgent security updates to address two critical vulnerabilities in its SmarterMail email server software, most notably CVE-2026-24423 and CVE-2026-23760.

CVE-2026-24423 is an unauthenticated remote code execution (RCE) flaw residing in the ConnectToHub API method, which allows an attacker to redirect the application to a malicious HTTP server that delivers OS commands for execution.

CVE-2026-23760 is a high-severity authentication bypass vulnerability in the password reset API. This flaw allows an unauthenticated attacker to reset the password of any system administrator account simply by providing a username, as the software fails to verify existing credentials or reset tokens.

Security Officer Comments:
The impact of these vulnerabilities is categorized as critical, with CVSS scores reaching 9.3. Successful exploitation of the password reset flaw (CVE-2026-23760) grants an attacker full administrative control over the SmarterMail instance, leading to total data compromise, unauthorized access to sensitive communications, and the ability to leverage the server for further network attacks.

Security researchers have already observed active exploitation of this flaw in the wild, and scanning data suggests that over 6,000 SmarterMail servers remain exposed and vulnerable. Because these vulnerabilities do not require prior authentication, any internet-facing server running an outdated version is at immediate risk of complete takeover and arbitrary code execution.

MSP Impact:

If an MSP hosts dozens or hundreds of clients on a single SmarterMail instance, a single exploit compromises the privacy and data of all those clients simultaneously. Since SmarterMail is often white-labeled or sold as a managed service, clients hold the MSP directly responsible for the integrity of their communications. Shadowserver has reported that these flaws are being actively exploited in the wild, and over 6,000 servers are currently exposed. MSPs are "juicy" targets because one successful breach yields multiple victims.

CISA KEV Listing: CISA has added these to its Known Exploited Vulnerabilities catalog. This increases the legal and compliance pressure on MSPs, especially those serving government contractors or regulated industries.

Suggested Corrections:
The primary mitigation for these vulnerabilities is to update SmarterMail to Build 9511 or later immediately. SmarterTools released this patch to close the loopholes in the ConnectToHub API and the password reset endpoint.

Due to the active exploitation of CVE-2026-23760, the U.S. Cybersecurity and Infrastructure Security Agency (CISA) has added the flaw to its Known Exploited Vulnerabilities (KEV) catalog, mandating that federal agencies apply the patches by February 16, 2026. Administrators are also advised to review system logs for unauthorized password resets on administrator accounts and to ensure that management interfaces are not unnecessarily exposed to the public internet.

Link(s):
https://nvd.nist.gov/vuln/detail/CVE-2026-23760

POC: https://labs.watchtowr.com/attacker...rmail-wt-2026-0001-auth-bypass/#:~:text=Proof of Concept