Find notable cyber news and cases, enriched with sources, timelines, and signals.
Home Browse News Feed Stats Watchlists Beta About Contact

SmarterMail authentication bypass flaw under active exploitation

Vulnerability
First reported
Last updated
Happening score
H score 66
2 unique sources, 5 articles

Summary

Hide ▲

SmarterTools SmarterMail is under active exploitation for an authentication bypass flaw that can let an attacker reset the system administrator password and potentially reach SYSTEM-level command execution. The issue is tracked as WT-2026-0001 and is tied to the /api/v1/auth/force-reset-password endpoint. SmarterTools patched the flaw in Build 9511 on January 15, 2026, but abuse was seen two days later. The risk is unauthorized elevated access on affected mail servers.

Cases

SmarterMail RCE, password-reset bypass, and ransomware response (5) SmarterMail RCE, password-reset bypass, and ransomware response (5)

Related Happenings

SmarterMail initial-access ransomware campaign with delayed encryption

Campaign
First: 18.02.2026 18:27 Last: 18.02.2026 18:27 Sources 1

How related: In another investigation published by Bleeping Computer, ransomware operators gained initial access through SmarterMail vulnerabilities and waited before triggering encryption payloads, a classic affiliate behavior pattern.

About this happening: A **SmarterMail** ransomware campaign is using newly disclosed email-server flaws for **initial access** and delaying encryption, raising the risk that exposed mail systems become...

Open Happening

SmarterTools hit by ransomware attack

Incident
First: 09.02.2026 14:02 Last: 09.02.2026 14:02 Sources 1

How related: SmarterTools confirmed last week that the Warlock ransomware gang breached its network after compromising an email system, but it did not impact business applications or account data.

About this happening: **SmarterTools** suffered a **ransomware attack** on **January 29** after attackers used an **unpatched SmarterMail VM** to gain access, disrupting the company’s **office network*...

Latest development: 10.02.2026 12:24

ReliaQuest identified activity likely tied to Warlock on SmarterTools systems that abused CVE-2026-23760 to bypass SmarterMail authentication, stage ransomware payloads on internet-facing systems, and chain the access with the software's built-in Volume Mount feature to gain full system control before installing Velociraptor; CISA also confirmed CVE-2026-24423 was being exploited in ransomware attacks.

Open Happening

CISA SmarterMail remediation guidance for CVE-2026-24423

Advisory/Mitigation
First: 06.02.2026 19:16 Last: 06.02.2026 19:16 Sources 1

How related: CISA added CVE-2026-24423 to the Known Exploited Vulnerabilities catalog in the beginning of February 2026, after confirming active ransomware exploitation.

About this happening: **SmarterMail** is at the center of a **CVE-2026-24423** remediation and exploitation wave: the flaw enables **unauthenticated remote code execution** in versions prior to **Build...

Open Happening

N8n sandbox escape flaws (multiple vulnerabilities)

Vulnerability
First: 04.02.2026 15:00 Last: 04.02.2026 15:00 Sources 1

About this happening: Two **maximum-severity sandbox-escape flaws** in **n8n** expose **self-hosted and cloud instances** to **complete server takeover** and **credential theft**. An **authenticated us...

Open Happening

Ongoing Dropbox credential-theft phishing campaign

Campaign
First: 03.02.2026 12:55 Last: 03.02.2026 12:55 Sources 1

About this happening: An **ongoing phishing campaign** is stealing **Dropbox credentials** from corporate users and can enable **account takeover** and follow-on fraud. The operation uses **urgent-busi...

Open Happening

Timeline

  1. 18.02.2026 18:27 1 articles · 3mo ago

    SmarterMail flaws spread quickly in underground channels

    Campaign Scope Update

    Researchers monitoring underground Telegram channels and cybercrime forums observed threat actors rapidly sharing proof-of-concept exploits, offensive tools, and stolen administrator credentials for SmarterMail vulnerabilities CVE-2026-24423 and CVE-2026-23760 within days of disclosure, and CISA later added CVE-2026-24423 to the Known Exploited Vulnerabilities catalog after confirming active ransomware exploitation.

    Show sources
    Open in new tab
  2. 10.02.2026 12:24 1 articles · 3mo ago

    Warlock breaches SmarterTools via unpatched SmarterMail

    Victim Impact Update

    Warlock (aka Storm-2603) breached SmarterTools on January 29, 2026 by exploiting an unpatched SmarterMail VM, then waited before taking over the Active Directory server, creating new users, and deploying Velociraptor and ransomware payloads. SmarterTools said about 12 Windows servers on its office network, a secondary data center used for quality control tests, and hosted customers using SmarterTrack were affected, while its website, shopping cart, My Account portal, and other business applications were not compromised.

    Show sources
    Open in new tab
  3. 27.01.2026 16:09 1 articles · 4mo ago

    CISA adds SmarterMail CVE-2026-23760 to actively exploited list

    Legal Policy Action Update

    CISA added CVE-2026-23760 to its list of actively exploited vulnerabilities and told U.S. government agencies to secure affected SmarterMail servers within three weeks, by February 16, after ongoing exploitation of the authentication bypass was reported.

    Show sources
    Open in new tab
  4. 22.01.2026 11:46 1 articles · 4mo ago

    Responsible disclosure of SmarterMail WT-2026-0001

    Initial Disclosure

    watchTowr Labs disclosed the SmarterMail authentication bypass tracked as WT-2026-0001 to SmarterTools, identifying the /api/v1/auth/force-reset-password endpoint as the vulnerable path and starting the remediation process for the affected mail software.

    Show sources
    Open in new tab
  5. 22.01.2026 11:46 1 articles · 4mo ago

    SmarterTools releases Build 9511 for SmarterMail

    Mitigation Patch Update

    SmarterTools patched the SmarterMail authentication bypass in Build 9511, closing WT-2026-0001 after the responsible disclosure process and marking the vulnerability as remediated on January 15, 2026.

    Show sources
    Open in new tab
  6. 22.01.2026 11:46 3 articles · 4mo ago

    Observed abuse of the SmarterMail password-reset endpoint

    Exploitation Observed

    Logs and community reporting indicate use of the /api/v1/auth/force-reset-password endpoint on a SmarterMail system on January 17, 2026, suggesting attackers were able to abuse the authentication bypass and possibly reverse engineer the patch.

    Show sources
    Open in new tab
  7. 22.01.2026 11:46 1 articles · 4mo ago

    watchTowr Labs publishes SmarterMail bypass analysis

    Technical Analysis Update

    watchTowr Labs published technical analysis showing that a crafted HTTP request to /api/v1/auth/force-reset-password can reset a SmarterMail system administrator password and that built-in RCE-as-a-feature functionality can be used to execute OS commands, while SmarterTools said it plans customer emails when a new CVE is discovered and when a fixed build is released.

    Show sources
    Open in new tab