SmarterMail RCE Vulnerability – 6,000+ Servers Exposed

January 27, 2026 Faeem BLOGS 0

A critical remote code execution (RCE) vulnerability in SmarterTools SmarterMail is being actively exploited, with over 6,000 servers exposed online. This flaw poses a severe risk to organizations relying on SmarterMail for enterprise email operations.

Vulnerability Overview

  • CVE ID: CVE-2026-23760
  • Severity: CVSS 9.3 (Critical)
  • Affected versions: All builds prior to 9511 (patched Jan 15, 2026).
  • Component: Password reset API (/api/v1/auth/force-reset-password).
  • Flaw: Allows unauthenticated requests to reset administrator passwords without verification or reset tokens.
  • Impact:
    • Immediate administrator account takeover.
    • Admins can execute OS-level commands via SmarterMail Settings → SYSTEM-level compromise.

Active Exploitation

  • Exploitation observed since Jan 17, 2026 (two days after patch release).
  • Huntress Labs: Attackers created malicious System Events to run reconnaissance commands.
  • Watchtowr Labs: Confirmed exploitation in production environments.
  • Shadowserver scans: Over 6,000 vulnerable IPs across multiple continents.
  • Attackers are monitoring release notes and performing patch diffing to reverse-engineer vulnerabilities quickly.

Attack Chain

  1. Exploit password reset API → set new admin password.
  2. Obtain authentication tokens.
  3. Use admin privileges to execute OS commands.
  4. Deploy persistent backdoors or web shells.
  5. Conduct reconnaissance and lateral movement.

Defensive Recommendations

  • Patch immediately: Upgrade to Build 9511 or later.
  • Log review: Check for unauthorized password resets in admin activity logs.
  • Threat hunting: Investigate for web shells, malware, or malicious System Events.
  • Backup validation: Ensure backups are uncompromised and offline copies exist.
  • Monitoring: Watch for suspicious authentication tokens and persistence mechanisms.

Takeaway

This vulnerability highlights the extreme risk of exposed email infrastructure. With 6,000+ servers still unpatched, attackers are actively exploiting CVE-2026-23760 to gain SYSTEM-level access. Organizations must patch immediately, audit admin activity, and harden SmarterMail deployments to prevent compromise.

Be the first to comment

Leave a Reply

Your email address will not be published.


*


This site uses Akismet to reduce spam. Learn how your comment data is processed.