CyberHappenings logo
Home Browse Watchlists Experimental About

Track cybersecurity events as they unfold. Sourced timelines. Filter, sort, and browse. Fast, privacy‑respecting. No invasive ads, no tracking.

Critical Unauthenticated RCE Flaw in SmarterMail Patched

First reported
Last updated
2 unique sources, 2 articles

Summary

Hide ▲

SmarterTools has addressed a critical unauthenticated remote code execution (RCE) flaw in SmarterMail email software, tracked as CVE-2026-24423 with a CVSS score of 9.3. The vulnerability allows attackers to execute arbitrary OS commands by pointing SmarterMail to a malicious HTTP server. The flaw was discovered by researchers from watchTowr, CODE WHITE GmbH, and VulnCheck and was patched in version Build 9511, released on January 15, 2026. CISA has added CVE-2026-24423 to its KEV catalog, marking it as actively exploited in ransomware campaigns, and has given federal agencies until February 26, 2026, to patch or stop using affected versions. Additionally, another critical flaw (CVE-2026-23760) and a medium-severity vulnerability (CVE-2026-25067) were also addressed in subsequent updates.

Timeline

  1. 06.02.2026 19:16 1 articles · 4h ago

    CISA Warns of Exploitation of SmarterMail RCE Flaw in Ransomware Attacks

    CISA has added CVE-2026-24423 to its KEV catalog, marking it as actively exploited in ransomware campaigns. Additionally, a previously undisclosed authentication bypass flaw (WT-2026-0001) has been exploited post-patch, allowing administrator password resets without verification.

    Show sources
    Open in new tab
  2. 30.01.2026 09:09 2 articles · 7d ago

    SmarterMail Patches Critical RCE Flaw and Other Vulnerabilities

    SmarterTools has released updates to address a critical unauthenticated RCE flaw (CVE-2026-24423) in SmarterMail, which allows arbitrary OS command execution. The flaw was patched in version Build 9511 on January 15, 2026. Additionally, another critical flaw (CVE-2026-23760) and a medium-severity vulnerability (CVE-2026-25067) were addressed in subsequent updates. CISA has added CVE-2026-24423 to its KEV catalog, marking it as actively exploited in ransomware campaigns, and has given federal agencies until February 26, 2026, to patch or stop using affected versions.

    Show sources
    Open in new tab

Information Snippets

Similar Happenings

SmarterMail Authentication Bypass Exploited Post-Patch

A critical authentication bypass vulnerability in SmarterMail email software (WT-2026-0001, CVE-2026-23760) has been actively exploited in the wild just two days after a patch was released. The flaw allows attackers to reset the system administrator password via a crafted HTTP request, leading to remote code execution (RCE) on the underlying operating system. The vulnerability was patched on January 15, 2026, but attackers reverse-engineered the patch to exploit it. Over 6,000 SmarterMail servers were found exposed online and likely vulnerable to attacks exploiting the flaw. Shadowserver is tracking these servers, with more than 4,200 in North America and nearly 1,000 in Asia. Macnica threat researcher Yutaka Sejiyama found over 8,550 SmarterMail instances still vulnerable. CISA added the vulnerability to its list of actively exploited vulnerabilities, ordering U.S. government agencies to secure their servers by February 16.

Open in new tab

Active Exploitation of Critical Microsoft WSUS Flaw

A critical vulnerability in Microsoft Windows Server Update Service (WSUS), CVE-2025-59287, is being actively exploited in the wild. This flaw, with a CVSS score of 9.8, allows attackers to drop malicious payloads and execute arbitrary commands on infected hosts. The vulnerability affects WSUS versions 3.32.x and was discovered by Eye Security and Huntress. The Cybersecurity and Infrastructure Security Agency (CISA) has ordered U.S. government agencies to patch the flaw, which was added to the Known Exploited Vulnerabilities catalog. Organizations using WSUS are advised to apply the out-of-band security updates provided by Microsoft to mitigate the risk of exploitation. The flaw was originally patched by Microsoft as part of its Patch Tuesday updates, but attackers have since weaponized it to deploy .NET executables and Base64-encoded PowerShell scripts. Shadowserver is tracking over 2,800 WSUS instances with default ports exposed online. The vulnerability is a deserialization of untrusted data flaw that allows unauthenticated attackers to achieve remote code execution with system privileges by sending malicious encrypted cookies to the GetCookie() endpoint. A compromised WSUS server could potentially be used to distribute malicious updates to the entire network of client computers, making it particularly dangerous for large enterprises. Huntress advised isolating network access to WSUS and blocking inbound traffic to TCP ports 8530 and 8531 as remediation steps. The out-of-band (OOB) security update KB5070881 for CVE-2025-59287 broke hotpatching on some Windows Server 2025 devices. Microsoft has released a new update, KB5070893, to address the issue without disrupting hotpatching. Administrators are advised to install this update to maintain hotpatching functionality.

Open in new tab

Critical WSUS RCE Vulnerability Exploited in the Wild

A critical remote code execution (RCE) vulnerability (CVE-2025-59287) in Windows Server Update Service (WSUS) is being actively exploited in the wild. The flaw allows attackers to run malicious code with SYSTEM privileges on Windows servers with the WSUS Server role enabled. Microsoft has released out-of-band patches for all affected Windows Server versions. Cybersecurity firms have observed exploitation attempts and the presence of publicly available proof-of-concept exploit code. The vulnerability is considered potentially wormable between WSUS servers and poses a significant risk to organizations. The flaw concerns a case of deserialization of untrusted data in WSUS. The vulnerability was discovered and reported by security researchers MEOW, f7d8c52bec79e42795cf15888b85cbad, and Markus Wulftange with CODE WHITE GmbH. CISA and NSA, along with international partners, have issued guidance to secure Microsoft Exchange Server instances, including recommendations to restrict administrative access, implement multi-factor authentication, and enforce strict transport security configurations. The agencies advise decommissioning end-of-life on-premises or hybrid Exchange servers after transitioning to Microsoft 365. Sophos reported threat actors exploiting the vulnerability to harvest sensitive data from U.S. organizations across various industries, with at least 50 victims identified. The exploitation activity was first detected on October 24, 2025, a day after Microsoft issued the update. Attackers use Base64-encoded PowerShell commands to exfiltrate data to a webhook[.]site endpoint. Michael Haag of Splunk noted an alternate attack chain involving the Microsoft Management Console binary (mmc.exe) to trigger cmd.exe execution. Recently, threat actors have been exploiting CVE-2025-59287 to distribute ShadowPad malware, a modular backdoor used by Chinese state-sponsored hacking groups. Attackers used PowerCat, certutil, and curl to obtain a system shell and download ShadowPad. The malware is launched via DLL side-loading and comes with anti-detection and persistence techniques.

Open in new tab

GeoServer RCE Exploit Used in Federal Agency Breach

A U.S. federal civilian executive branch (FCEB) agency was breached in July 2024 after attackers exploited an unpatched GeoServer instance. The attackers gained initial access through a critical remote code execution (RCE) vulnerability (CVE-2024-36401) and moved laterally within the network, deploying web shells and scripts for persistence and privilege escalation. The breach remained undetected for three weeks until the agency's Endpoint Detection and Response (EDR) tool alerted the Security Operations Center (SOC). The attackers exploited the vulnerability in GeoServer, which was patched in June 2024 but remained unpatched in the agency's environment. They used brute force techniques for lateral movement and privilege escalation, accessing service accounts and deploying web shells like China Chopper. The breach highlights the importance of timely patching, continuous monitoring of EDR alerts, and comprehensive incident response plans. Recently, CISA added a high-severity XML External Entity (XXE) flaw (CVE-2025-58360) in GeoServer to its KEV catalog due to evidence of active exploitation. This flaw affects versions prior to and including 2.25.5, and versions 2.26.0 through 2.26.1. Successful exploitation could allow attackers to access arbitrary files, conduct SSRF attacks, or launch DoS attacks. Federal agencies are advised to apply the required fixes by January 1, 2026. CISA has ordered federal agencies to patch the actively exploited GeoServer vulnerability (CVE-2025-58360) by January 1, 2026. The flaw is being actively exploited in XML External Entity (XXE) injection attacks, allowing threat actors to launch denial-of-service attacks, access confidential data, or perform Server-Side Request Forgery (SSRF) to interact with internal systems. The vulnerability is present in GeoServer 2.26.1 and prior versions and can be exploited through the /geoserver/wms operation GetMap endpoint.

Open in new tab

Critical Out-of-Bounds Write Vulnerabilities in WatchGuard Firebox Firewalls Exploited in the Wild

Over 115,000 WatchGuard Firebox network security appliances remain exposed to critical remote code execution flaws, including CVE-2025-9242 and the newly disclosed CVE-2025-14733. These vulnerabilities allow remote attackers to execute code without authentication. WatchGuard has released patches and provided temporary workarounds for administrators who cannot immediately update their devices. The vulnerabilities are actively being exploited in the wild, and the U.S. Cybersecurity and Infrastructure Security Agency (CISA) has added CVE-2025-9242 to its Known Exploited Vulnerabilities (KEV) catalog on November 13, 2025, based on evidence of active exploitation. Federal Civilian Executive Branch (FCEB) agencies are advised to apply WatchGuard's patches by December 3, 2025. The Shadowserver Foundation detected over 71,000 vulnerable devices as of October 17, 2025. As of November 12, 2025, over 54,300 Firebox instances remain vulnerable, with the U.S. having the highest number of vulnerable devices at 18,500. On December 22, 2025, Shadowserver found over 124,658 unpatched Firebox instances exposed online, with 117,490 still exposed the following day. CISA added CVE-2025-14733 to its KEV Catalog and ordered FCEB agencies to patch Firebox firewalls within a week, by December 26th.

Open in new tab