CyberHappenings logo
Home Browse Watchlists Experimental About

Track cybersecurity events as they unfold. Sourced timelines. Filter, sort, and browse. Fast, privacy‑respecting. No invasive ads, no tracking.

SmarterMail Authentication Bypass Exploited Post-Patch

First reported
Last updated
2 unique sources, 3 articles

Summary

Hide ▲

A critical authentication bypass vulnerability in SmarterMail email software (WT-2026-0001, CVE-2026-23760) has been actively exploited in the wild just two days after a patch was released. The flaw allows attackers to reset the system administrator password via a crafted HTTP request, leading to remote code execution (RCE) on the underlying operating system. The vulnerability was patched on January 15, 2026, but attackers reverse-engineered the patch to exploit it. Over 6,000 SmarterMail servers were found exposed online and likely vulnerable to attacks exploiting the flaw. Shadowserver is tracking these servers, with more than 4,200 in North America and nearly 1,000 in Asia. Macnica threat researcher Yutaka Sejiyama found over 8,550 SmarterMail instances still vulnerable. CISA added the vulnerability to its list of actively exploited vulnerabilities, ordering U.S. government agencies to secure their servers by February 16.

Timeline

  1. 22.01.2026 11:46 3 articles · 6d ago

    SmarterMail Authentication Bypass Exploited Post-Patch

    A critical authentication bypass vulnerability in SmarterMail (WT-2026-0001, CVE-2026-23760) was exploited two days after a patch was released. The flaw allows attackers to reset the system administrator password and gain SYSTEM-level shell access. The issue was patched on January 15, 2026, but attackers reverse-engineered the patch to exploit it. The vulnerability was reported by watchTowr researchers on January 8, 2026, and affects only admin-level accounts. SmarterTools plans to improve transparency by sending emails for future CVEs and patch releases. Over 6,000 SmarterMail servers were found exposed online and likely vulnerable to attacks exploiting the flaw. Shadowserver is tracking these servers, with more than 4,200 in North America and nearly 1,000 in Asia. Macnica threat researcher Yutaka Sejiyama found over 8,550 SmarterMail instances still vulnerable. CISA added the vulnerability to its list of actively exploited vulnerabilities, ordering U.S. government agencies to secure their servers by February 16.

    Show sources
    Open in new tab

Information Snippets

Similar Happenings

Unauthenticated Privilege Escalation in WordPress Modular DS Plugin Exploited in the Wild

A critical vulnerability (CVE-2026-23550, CVSS 10.0) in the WordPress Modular DS plugin, affecting versions up to 2.5.1, is being actively exploited to gain admin access. The flaw allows unauthenticated attackers to bypass authentication and escalate privileges, potentially leading to full site compromise. The issue stems from a combination of design choices, including permissive direct request handling and weak authentication mechanisms. The vulnerability was patched in version 2.5.2, and attacks were first detected on January 13, 2026, originating from specific IP addresses. The Modular DS plugin has over 40,000 installations. Users are urged to update immediately to mitigate the risk.

Open in new tab

Critical SmarterMail Arbitrary File Upload Vulnerability Disclosed

The Cyber Security Agency of Singapore (CSA) has disclosed a critical vulnerability (CVE-2025-52691) in SmarterMail email software, allowing unauthenticated remote code execution via arbitrary file upload. The flaw affects versions up to Build 9406 and has been patched in Build 9413 and later. SmarterMail is used by various web hosting providers, and users are advised to update to the latest version (Build 9483) for protection.

Open in new tab

Oracle Identity Manager RCE Flaw CVE-2025-61757 Exploited in Attacks

CISA has warned that a pre-authentication remote code execution (RCE) flaw in Oracle Identity Manager, tracked as CVE-2025-61757, is being actively exploited in attacks. The vulnerability stems from an authentication bypass in the REST APIs, allowing attackers to execute malicious code. The flaw was patched by Oracle in October 2025, but evidence suggests it may have been exploited as early as August 30. CISA has added the vulnerability to its Known Exploited Vulnerabilities (KEV) catalog, mandating federal agencies to patch it by December 12. Researchers from Searchlight Cyber discovered the flaw, describing it as trivial and easily exploitable. Multiple IP addresses have been observed scanning for the vulnerability, all using the same user agent. The flaw involves gaining access to a Groovy script compilation endpoint to execute malicious code. The vulnerability affects versions 12.2.1.4.0 and 14.1.2.1.0 of Oracle Identity Manager. Attackers can manipulate authentication flows, escalate privileges, and move laterally across an organization's core systems. The IP addresses 89.238.132[.]76, 185.245.82[.]81, and 138.199.29[.]153 were observed scanning for the vulnerability. The flaw was revealed by Searchlight Cyber on November 20 and added to CISA's KEV catalog on November 21. The vulnerability lies in the REST WebServices component of Oracle Identity Manager and has a CVSS severity score of 9.8. The flaw was discovered during an investigation of a breach affecting Oracle Cloud's login service, where a threat actor exploited an older vulnerability, CVE-2021-35587.

Open in new tab

Persistent Memory Exploit in ChatGPT Atlas Browser

A vulnerability in the ChatGPT Atlas browser allows attackers to inject persistent, hidden commands into the AI's memory. This exploit leverages a CSRF flaw to plant malicious instructions that persist across devices and sessions, enabling unauthorized code execution and potential data exfiltration. The vulnerability affects the browser's memory feature, which stores user preferences and details to personalize interactions. The exploit can lead to account takeovers, privilege escalation, and malware deployment. Users are at risk when they interact with ChatGPT after being tricked into visiting a malicious link. The attack vector is exacerbated by the browser's lack of robust anti-phishing controls, making users significantly more vulnerable compared to traditional browsers. The vulnerability highlights the security risks associated with AI-powered browsers and the need for enhanced protections as these tools become more integrated into enterprise environments.

Open in new tab

Unauthenticated access vulnerability in Oracle E-Business Suite Configurator

A critical vulnerability in Oracle E-Business Suite (EBS) allows unauthenticated attackers to access sensitive data via HTTP. The flaw, CVE-2025-61884, affects versions 12.2.3 through 12.2.14 and has a CVSS score of 7.5. CISA has confirmed that the vulnerability is being exploited in attacks and has added it to its Known Exploited Vulnerabilities catalog. Oracle has issued an emergency security update and patch, but exploitation in the wild has been reported. The vulnerability is in the Runtime UI component and could lead to unauthorized access to critical data. Oracle has silently fixed the vulnerability after it was actively exploited and a proof-of-concept exploit was leaked by the ShinyHunters extortion group. This development follows recent disclosures of zero-day exploitation in EBS software, attributed to a group with ties to the Clop ransomware group. The Clop group has been involved in major data theft campaigns targeting zero-days in Accellion FTA, GoAnywhere MFT, Cleo, and MOVEit Transfer.

Open in new tab