Source: The Hacker News
SmarterTools has released urgent security updates for its SmarterMail email server software, addressing multiple critical vulnerabilities including an unauthenticated remote code execution (RCE) flaw with a CVSS score of 9.3.
Critical RCE Vulnerability (CVE-2026-24423)
The most severe vulnerability, tracked as CVE-2026-24423, allows attackers to achieve remote code execution without authentication through the ConnectToHub API method. According to the CVE description:
“The attacker could point the SmarterMail to the malicious HTTP server, which serves the malicious OS command. This command will be executed by the vulnerable application.”
The vulnerability was discovered and reported by researchers from watchTowr, CODE WHITE GmbH, and VulnCheck.
Additional Vulnerabilities Patched
SmarterTools also addressed:
- CVE-2026-23760 (CVSS 9.3) – Another critical flaw that is already under active exploitation in the wild
- CVE-2026-25067 (CVSS 6.9) – A medium-severity vulnerability enabling NTLM relay attacks and unauthorized network authentication through unauthenticated path coercion
Urgent Action Required
Organizations running SmarterMail should immediately update to:
- Build 9511 (January 15, 2026) – Patches CVE-2026-24423 and CVE-2026-23760
- Build 9518 (January 22, 2026) – Patches CVE-2026-25067
With two vulnerabilities already under active exploitation, administrators should prioritize this update to prevent potential compromise of email infrastructure.
Why This Matters
Email servers are high-value targets for attackers as they contain sensitive communications and can serve as pivot points for further network compromise. Unauthenticated RCE vulnerabilities are particularly dangerous as they require no prior access or credentials to exploit.
