SmarterMail RCE, password-reset bypass, and ransomware response

**SmarterMail** versions prior to **Build 9511** contain **CVE-2026-24423**, an **unauthenticated remote code execution** flaw in the **ConnectToHub API** that could let an attacker run arbitrary commands. The bug affects the email software’s exposed API surface and creates a direct compromise risk for unpatched deployments. **Build 9511** fixes the issue, making prompt upgrading the key remediation path.

**CVE-2026-23760** is being exploited against **SmarterMail** to bypass authentication on **internet-facing mail servers**, creating takeover risk across **thousands of exposed instances**. Defenders have tracked more than **6,000 likely vulnerable servers** and over **8,550** still exposed, while **CISA** added the flaw to its **actively exploited** list and set a **February 16** remediation deadline for U.S. agencies. The vulnerability is an **authentication bypass** in the **password reset API** that can let an attacker reset a system administrator password, and **SmarterTools** released a fix in **Build 9511** with further protection in **Build 9526**.

A **SmarterMail** ransomware campaign is using newly disclosed email-server flaws for **initial access** and delaying encryption, raising the risk that exposed mail systems become footholds into internal networks. The operation matters because the same weaknesses are being weaponized quickly across **Internet-facing servers**, shrinking the window for defenders. Underground sharing of **PoC exploits** and stolen credentials is accelerating exploitation, and some activity is being tied to the **Warlock ransomware group**. **CISA** later confirmed active ransomware exploitation by adding **CVE-2026-24423** to the **KEV** catalog.

**SmarterMail** is at the center of a **CVE-2026-24423** remediation and exploitation wave: the flaw enables **unauthenticated remote code execution** in versions prior to **Build 9511**, while **CVE-2026-23760** adds authentication-bypass risk on exposed email servers. **CISA** added **CVE-2026-24423** to the **Known Exploited Vulnerabilities** catalog after confirming **active ransomware exploitation**, and directed **federal agencies** and other **BOD 22-01** entities to **apply updates**, use **vendor mitigations**, or **stop using the product** by **February 26, 2026**.

**SmarterTools SmarterMail** is under **active exploitation** for an **authentication bypass flaw** that can let an attacker **reset the system administrator password** and potentially reach **SYSTEM-level command execution**. The issue is tracked as **WT-2026-0001** and is tied to the **/api/v1/auth/force-reset-password** endpoint. SmarterTools patched the flaw in **Build 9511** on **January 15, 2026**, but abuse was seen **two days later**. The risk is unauthorized elevated access on affected mail servers.