SmarterMail, Dumber Auth: The CVE-2026-23760 Deep Dive
Vulnerability ID: CVE-2026-23760
CVSS Score: 9.8
Published: 2026-01-22
A critical authentication bypass in SmarterTools SmarterMail allows unauthenticated attackers to reset the administrator password by simply telling the API they are an administrator. This leads to immediate remote code execution via built-in management features.
TL;DR
If you run SmarterMail (versions < Build 9511), anyone can become your system administrator by sending a single JSON packet. Once they are admin, they can execute OS commands via the 'Volume Mounts' feature. It's a 9.8/10 on the panic scale.
⚠️ Exploit Status: ACTIVE
Technical Details
- CWE: CWE-288 (Auth Bypass)
- CVSS v3.1: 9.8 (Critical)
- Attack Vector: Network (API)
- Privileges Required: None
- User Interaction: None
- Exploit Status: High (Active Exploitation)
- EPSS Score: 0.51 (97th Percentile)
Affected Systems
- SmarterMail Enterprise (Windows)
- SmarterMail Professional (Windows)
- SmarterMail Free (Windows)
-
SmarterMail: < Build 9511 (Fixed in:
Build 9511)
Exploit Details
- watchTowr: Full exploit chain for Auth Bypass and RCE
Mitigation Strategies
- Restrict access to the management port (9998) via firewall rules immediately.
- Disable the 'ForcePasswordReset' API endpoint via WAF rules if patching is impossible.
- Review logs for any requests to
/api/v1/auth/force-reset-passwordoriginating from unknown IPs.
Remediation Steps:
- Upgrade SmarterMail to Build 9511 or higher immediately.
- Check the 'Volume Mounts' configuration for any unrecognized commands.
- Rotate all administrator passwords, as they may have been harvested or changed.
- Verify no new administrative accounts were created during the exposure window.
References
Read the full report for CVE-2026-23760 on our website for more details including interactive diagrams and full exploit analysis.
Top comments (0)