The 'Hub' of All Evils: SmarterMail Unauth RCE
Vulnerability ID: CVE-2026-24423
CVSS Score: 9.3
Published: 2026-01-23
A critical authentication bypass in SmarterTools SmarterMail allows unauthenticated attackers to trick the server into executing arbitrary OS commands by abusing the 'ConnectToHub' API.
TL;DR
SmarterMail left the 'SystemAdminSettingsController.ConnectToHub' endpoint wide open. An attacker can send a request telling the mail server to connect to a malicious 'Hub' server controlled by the attacker. Upon connection, the malicious server feeds the mail server commands, which are executed with high privileges. It is a text-book unauthenticated RCE rated CVSS 9.3.
⚠️ Exploit Status: POC
Technical Details
- CWE ID: CWE-306 (Missing Authentication for Critical Function)
- Attack Vector: Network (AV:N)
- CVSS v4.0: 9.3 (Critical)
- Privileges Required: None (PR:N)
- Impact: Remote Code Execution (System)
- Exploit Status: Active Research / High Risk
Affected Systems
- SmarterTools SmarterMail (All versions prior to Build 9511)
-
SmarterMail: < 100.0.9511 (Fixed in:
Build 9511)
Exploit Details
- VulnCheck: Advisory detailing the unauthenticated RCE via ConnectToHub API
Mitigation Strategies
- Upgrade to SmarterMail Build 9511 or later immediately.
- Implement IP allow-listing for the SmarterMail administrative interface.
- Place the SmarterMail web interface behind a WAF or VPN.
Remediation Steps:
- Download the latest installer from the SmarterTools website.
- Stop the SmarterMail service.
- Run the installer to update the binaries.
- Restart the service and verify the build number in the settings.
- Review logs for any POST requests to 'ConnectToHub' from external IPs.
References
Read the full report for CVE-2026-24423 on our website for more details including interactive diagrams and full exploit analysis.
Top comments (0)