CyberHappenings logo
Home Browse Watchlists Experimental About

Track cybersecurity events as they unfold. Sourced timelines. Filter, sort, and browse. Fast, privacy‑respecting. No invasive ads, no tracking.

SmarterMail Authentication Bypass Exploited Post-Patch

First reported
Last updated
2 unique sources, 4 articles

Summary

Hide ▲

A critical authentication bypass vulnerability in SmarterMail email software (WT-2026-0001, CVE-2026-23760) has been actively exploited in the wild just two days after a patch was released. The flaw allows attackers to reset the system administrator password via a crafted HTTP request, leading to remote code execution (RCE) on the underlying operating system. The vulnerability was patched on January 15, 2026, but attackers reverse-engineered the patch to exploit it. Over 6,000 SmarterMail servers were found exposed online and likely vulnerable to attacks exploiting the flaw. Shadowserver is tracking these servers, with more than 4,200 in North America and nearly 1,000 in Asia. Macnica threat researcher Yutaka Sejiyama found over 8,550 SmarterMail instances still vulnerable. CISA added the vulnerability to its list of actively exploited vulnerabilities, ordering U.S. government agencies to secure their servers by February 16. Threat actors rapidly shared proof-of-concept exploits, offensive tools, and stolen administrator credentials related to SmarterMail vulnerabilities on underground Telegram channels and cybercrime forums. SmarterTools was breached in January 2026 after attackers exploited an unpatched SmarterMail server running on an internal VM. Ransomware operators gained initial access through SmarterMail vulnerabilities and waited before triggering encryption payloads. Over 34,000 servers were found on Shodan with indications of running SmarterMail, with 1,185 vulnerable to authentication bypass or RCE flaws. CISA added CVE-2026-24423 to the Known Exploited Vulnerabilities catalog in February 2026, confirming active ransomware exploitation.

Timeline

  1. 22.01.2026 11:46 4 articles · 28d ago

    SmarterMail Authentication Bypass Exploited Post-Patch

    A critical authentication bypass vulnerability in SmarterMail (WT-2026-0001, CVE-2026-23760) was exploited two days after a patch was released. The flaw allows attackers to reset the system administrator password and gain SYSTEM-level shell access. The issue was patched on January 15, 2026, but attackers reverse-engineered the patch to exploit it. The vulnerability was reported by watchTowr researchers on January 8, 2026, and affects only admin-level accounts. SmarterTools plans to improve transparency by sending emails for future CVEs and patch releases. Over 6,000 SmarterMail servers were found exposed online and likely vulnerable to attacks exploiting the flaw. Shadowserver is tracking these servers, with more than 4,200 in North America and nearly 1,000 in Asia. Macnica threat researcher Yutaka Sejiyama found over 8,550 SmarterMail instances still vulnerable. CISA added the vulnerability to its list of actively exploited vulnerabilities, ordering U.S. government agencies to secure their servers by February 16. Threat actors rapidly shared proof-of-concept exploits, offensive tools, and stolen administrator credentials related to SmarterMail vulnerabilities on underground Telegram channels and cybercrime forums. SmarterTools was breached in January 2026 after attackers exploited an unpatched SmarterMail server running on an internal VM. Ransomware operators gained initial access through SmarterMail vulnerabilities and waited before triggering encryption payloads. Over 34,000 servers were found on Shodan with indications of running SmarterMail, with 1,185 vulnerable to authentication bypass or RCE flaws. CISA added CVE-2026-24423 to the Known Exploited Vulnerabilities catalog in February 2026, confirming active ransomware exploitation.

    Show sources
    Open in new tab

Information Snippets

Similar Happenings

Critical Unauthenticated RCE Flaw in SmarterMail Patched

SmarterTools has addressed a critical unauthenticated remote code execution (RCE) flaw in SmarterMail email software, tracked as CVE-2026-24423 with a CVSS score of 9.3. The vulnerability allows attackers to execute arbitrary OS commands by pointing SmarterMail to a malicious HTTP server. The flaw was discovered by researchers from watchTowr, CODE WHITE GmbH, and VulnCheck and was patched in version Build 9511, released on January 15, 2026. CISA has added CVE-2026-24423 to its KEV catalog, marking it as actively exploited in ransomware campaigns, and has given federal agencies until February 26, 2026, to patch or stop using affected versions. Additionally, another critical flaw (CVE-2026-23760) and a medium-severity vulnerability (CVE-2026-25067) were also addressed in subsequent updates.

Open in new tab

Unauthenticated Privilege Escalation in WordPress Modular DS Plugin Exploited in the Wild

A critical vulnerability (CVE-2026-23550, CVSS 10.0) in the WordPress Modular DS plugin, affecting versions up to 2.5.1, is being actively exploited to gain admin access. The flaw allows unauthenticated attackers to bypass authentication and escalate privileges, potentially leading to full site compromise. The issue stems from a combination of design choices, including permissive direct request handling and weak authentication mechanisms. The vulnerability was patched in version 2.5.2, and attacks were first detected on January 13, 2026, originating from specific IP addresses. The Modular DS plugin has over 40,000 installations. Users are urged to update immediately to mitigate the risk.

Open in new tab

Critical SmarterMail Arbitrary File Upload Vulnerability Disclosed

The Cyber Security Agency of Singapore (CSA) has disclosed a critical vulnerability (CVE-2025-52691) in SmarterMail email software, allowing unauthenticated remote code execution via arbitrary file upload. The flaw affects versions up to Build 9406 and has been patched in Build 9413 and later. SmarterMail is used by various web hosting providers, and users are advised to update to the latest version (Build 9483) for protection.

Open in new tab

Oracle Identity Manager RCE Flaw CVE-2025-61757 Exploited in Attacks

CISA has warned that a pre-authentication remote code execution (RCE) flaw in Oracle Identity Manager, tracked as CVE-2025-61757, is being actively exploited in attacks. The vulnerability stems from an authentication bypass in the REST APIs, allowing attackers to execute malicious code. The flaw was patched by Oracle in October 2025, but evidence suggests it may have been exploited as early as August 30. CISA has added the vulnerability to its Known Exploited Vulnerabilities (KEV) catalog, mandating federal agencies to patch it by December 12. Researchers from Searchlight Cyber discovered the flaw, describing it as trivial and easily exploitable. Multiple IP addresses have been observed scanning for the vulnerability, all using the same user agent. The flaw involves gaining access to a Groovy script compilation endpoint to execute malicious code. The vulnerability affects versions 12.2.1.4.0 and 14.1.2.1.0 of Oracle Identity Manager. Attackers can manipulate authentication flows, escalate privileges, and move laterally across an organization's core systems. The IP addresses 89.238.132[.]76, 185.245.82[.]81, and 138.199.29[.]153 were observed scanning for the vulnerability. The flaw was revealed by Searchlight Cyber on November 20 and added to CISA's KEV catalog on November 21. The vulnerability lies in the REST WebServices component of Oracle Identity Manager and has a CVSS severity score of 9.8. The flaw was discovered during an investigation of a breach affecting Oracle Cloud's login service, where a threat actor exploited an older vulnerability, CVE-2021-35587.

Open in new tab

Persistent Memory Exploit in ChatGPT Atlas Browser

A vulnerability in the ChatGPT Atlas browser allows attackers to inject persistent, hidden commands into the AI's memory. This exploit leverages a CSRF flaw to plant malicious instructions that persist across devices and sessions, enabling unauthorized code execution and potential data exfiltration. The vulnerability affects the browser's memory feature, which stores user preferences and details to personalize interactions. The exploit can lead to account takeovers, privilege escalation, and malware deployment. Users are at risk when they interact with ChatGPT after being tricked into visiting a malicious link. The attack vector is exacerbated by the browser's lack of robust anti-phishing controls, making users significantly more vulnerable compared to traditional browsers. The vulnerability highlights the security risks associated with AI-powered browsers and the need for enhanced protections as these tools become more integrated into enterprise environments.

Open in new tab