Vulnerability
Advisory/Mitigation
Campaign
Exploitation Wave
SmarterMail RCE, password-reset bypass, and ransomware response
Updated 18.02.2026 18:27
Case score 67
Score breakdown
- Total
- 67
- Lead score
- 61
- Support bonus
- +6 / 20
- Scoring support
- 2
- Context members
- 1
Top contributors
- Vulnerability Defines the core unauthenticated RCE path in the ConnectToHub API on SmarterMail. base
- Campaign Adds exploit sharing, credential abuse, and ransomware follow-on behavior tied to the SmarterMail flaws. support
- Exploitation Wave Adds active exploitation pressure and large exposed-server counts for the same product surface. support
- Advisory Mitigation Adds confirmed KEV status, ransomware exploitation warning, and the February 26, 2026 federal remediation deadline for CVE-2026-24423. context
Title history
-
Old: SmarterMail admin-reset abuse and ransomware follow-onNew: SmarterMail RCE, password-reset bypass, and ransomware responseWhy old title changed: The previous title centered on admin-reset abuse and ransomware follow-on, but the accepted scope clearly includes a distinct unauthenticated RCE path and an official response around CVE-2026-24423.The new title better reflects the reader-facing story: parallel SmarterMail exploitation paths, ransomware use, and the active remediation response, while keeping the fixed URL unchanged.
Case score 67
Members 5
Latest activity 18.02.2026 18:27
Active exploitation
KEV: CISA KEV
Patch/mitigation varies by member
CVSS: 10.0 Critical
Active exploitation
KEV: CISA KEV
Patch/mitigation varies by member
CVSS: 10.0 Critical
Members 5
First seen 22.01.2026 11:46
Last seen 18.02.2026 18:27
Updated 18.02.2026 18:27
Overview
**SmarterMail** flaws affecting the password-reset path and the **ConnectToHub API** are being exploited against internet-facing mail servers, creating paths to administrator control and, in some activity, command execution. The activity spans mass exposure, rapid exploit and credential sharing, and **Warlock**-linked ransomware follow-on behavior.
**CISA** has put **CVE-2026-24423** on the **Known Exploited Vulnerabilities** catalog with a **February 26, 2026** remediation deadline for federal agencies and other **BOD 22-01** entities, keeping patching and vendor mitigations urgent.
Attackers are targeting internet-facing **SmarterMail** servers through the password-reset path and the **ConnectToHub API**, using **CVE-2026-23760** to bypass authentication and **CVE-2026-24423** to reach unauthenticated remote code execution. The flaws can let intruders reset administrator credentials, seize control of exposed mail systems, and in some activity execute commands on the host. **Build 9511** closed the disclosed **CVE-2026-24423** path and the related reset-path issue tracked in available material.
Broad internet exposure has kept the product under pressure, with defender tracking identifying more than **6,000** likely vulnerable servers. Underground channels quickly circulated proof-of-concept code, offensive tooling, and stolen administrator credentials tied to the SmarterMail flaws, shrinking the response window for exposed organizations. Follow-on activity has included **Warlock**-linked initial access and delayed-encryption ransomware operations that treat compromised mail servers as footholds into internal networks.
**CISA** added **CVE-2026-24423** to the **Known Exploited Vulnerabilities** catalog and set a **February 26, 2026** remediation deadline for federal agencies and other **BOD 22-01** entities. Available material supports active exploitation and ransomware use of the vulnerable surface, but it does not establish the full number of successful compromises or prove that every intrusion followed the same flaw path. Immediate priorities are upgrading **SmarterMail**, applying vendor mitigations, and treating exposed mail servers as high-risk entry points until the vulnerable surface is removed.