SmarterTools has released critical security updates for its SmarterMail software to address several vulnerabilities, most notably a high-severity unauthenticated remote code execution (RCE) flaw. Tracked as CVE-2026-24423 with a CVSS score of 9.3, the vulnerability resides in the ConnectToHub API method. Attackers can exploit this by directing a vulnerable instance to a malicious HTTP server, leading to the execution of arbitrary operating system commands.
In addition to the RCE bug, the update patches CVE-2026-25067, a medium-severity path coercion vulnerability that could facilitate NTLM relay attacks and unauthorized network authentication. These fixes follow recent reports of active exploitation in the wild for other SmarterMail vulnerabilities. Cybersecurity experts urge administrators to update to Build 9518 or later immediately to mitigate the risk of compromise.
Top comments (0)