SmarterMail unauthenticated RCE in ConnectToHub API (CVE-2026-24423)
Vulnerability
Summary
Hide ▲
Show ▼
SmarterMail versions prior to Build 9511 contain CVE-2026-24423, an unauthenticated remote code execution flaw in the ConnectToHub API that could let an attacker run arbitrary commands. The bug affects the email software’s exposed API surface and creates a direct compromise risk for unpatched deployments. Build 9511 fixes the issue, making prompt upgrading the key remediation path.
Cases
Related Happenings
SmarterTools hit by ransomware attack
Incident
First: 09.02.2026 14:02
Last: 09.02.2026 14:02
Sources 1
How related:
SmarterTools confirmed last week that the Warlock (aka Storm-2603) ransomware gang breached its network by exploiting an unpatched SmarterMail instance.
About this happening:
**SmarterTools** suffered a **ransomware attack** on **January 29** after attackers used an **unpatched SmarterMail VM** to gain access, disrupting the company’s **office network*...
SmarterTools hit by ransomware attack
IncidentHow related: SmarterTools confirmed last week that the Warlock (aka Storm-2603) ransomware gang breached its network by exploiting an unpatched SmarterMail instance.
About this happening: **SmarterTools** suffered a **ransomware attack** on **January 29** after attackers used an **unpatched SmarterMail VM** to gain access, disrupting the company’s **office network*...
Latest development: 10.02.2026 12:24
ReliaQuest identified activity likely tied to Warlock on SmarterTools systems that abused CVE-2026-23760 to bypass SmarterMail authentication, stage ransomware payloads on internet-facing systems, and chain the access with the software's built-in Volume Mount feature to gain full system control before installing Velociraptor; CISA also confirmed CVE-2026-24423 was being exploited in ransomware attacks.
CISA SmarterMail remediation guidance for CVE-2026-24423
Advisory/Mitigation
First: 06.02.2026 19:16
Last: 06.02.2026 19:16
Sources 1
How related:
CISA has given federal agencies and entities with obligations under BOD 22-01 guidance to either apply the security updates and vendor-suggested mitigations or stop using the product by February 26, 2026.
About this happening:
**SmarterMail** is at the center of a **CVE-2026-24423** remediation and exploitation wave: the flaw enables **unauthenticated remote code execution** in versions prior to **Build...
CISA SmarterMail remediation guidance for CVE-2026-24423
Advisory/MitigationHow related: CISA has given federal agencies and entities with obligations under BOD 22-01 guidance to either apply the security updates and vendor-suggested mitigations or stop using the product by February 26, 2026.
About this happening: **SmarterMail** is at the center of a **CVE-2026-24423** remediation and exploitation wave: the flaw enables **unauthenticated remote code execution** in versions prior to **Build...
CISA KEV remediation deadline for SolarWinds WHD CVE-2025-40551
Public Sector Action
First: 04.02.2026 07:50
Last: 04.02.2026 07:50
Sources 1
About this happening:
**CISA** added **CVE-2025-40551** in **SolarWinds Web Help Desk** to the **KEV catalog** and imposed **federal remediation deadlines**, turning a newly exploited flaw into a compl...
CISA KEV remediation deadline for SolarWinds WHD CVE-2025-40551
Public Sector ActionAbout this happening: **CISA** added **CVE-2025-40551** in **SolarWinds Web Help Desk** to the **KEV catalog** and imposed **federal remediation deadlines**, turning a newly exploited flaw into a compl...
SmarterMail CVE-2026-23760 mass exploitation wave
Exploitation Wave
First: 27.01.2026 16:09
Last: 27.01.2026 16:09
Sources 1
How related:
In a report published Monday, cybersecurity company ReliaQuest said it identified activity likely linked to Warlock that involved the abuse of CVE-2026-23760 to bypass authentication and stage the ransomware payload on internet-facing systems.
About this happening:
**CVE-2026-23760** is being exploited against **SmarterMail** to bypass authentication on **internet-facing mail servers**, creating takeover risk across **thousands of exposed in...
SmarterMail CVE-2026-23760 mass exploitation wave
Exploitation WaveHow related: In a report published Monday, cybersecurity company ReliaQuest said it identified activity likely linked to Warlock that involved the abuse of CVE-2026-23760 to bypass authentication and stage the ransomware payload on internet-facing systems.
About this happening: **CVE-2026-23760** is being exploited against **SmarterMail** to bypass authentication on **internet-facing mail servers**, creating takeover risk across **thousands of exposed in...
SmarterMail authentication bypass flaw under active exploitation
Vulnerability
First: 22.01.2026 11:46
Last: 22.01.2026 11:46
Sources 1
How related:
It's currently not clear which SmarterMail vulnerability was weaponized by attackers, but it's worth noting that multiple flaws in the email software – CVE-2025-52691 (CVSS score: 10.0), CVE-2026-23760, and CVE-2026-24423 (CVSS scores: 9.3) – have come under active exploitation in the wild.
About this happening:
**SmarterTools SmarterMail** is under **active exploitation** for an **authentication bypass flaw** that can let an attacker **reset the system administrator password** and potent...
SmarterMail authentication bypass flaw under active exploitation
VulnerabilityHow related: It's currently not clear which SmarterMail vulnerability was weaponized by attackers, but it's worth noting that multiple flaws in the email software – CVE-2025-52691 (CVSS score: 10.0), CVE-2026-23760, and CVE-2026-24423 (CVSS scores: 9.3) – have come under active exploitation in the wild.
About this happening: **SmarterTools SmarterMail** is under **active exploitation** for an **authentication bypass flaw** that can let an attacker **reset the system administrator password** and potent...
Latest development: 18.02.2026 18:27
Researchers monitoring underground Telegram channels and cybercrime forums observed threat actors rapidly sharing proof-of-concept exploits, offensive tools, and stolen administrator credentials for SmarterMail vulnerabilities CVE-2026-24423 and CVE-2026-23760 within days of disclosure, and CISA later added CVE-2026-24423 to the Known Exploited Vulnerabilities catalog after confirming active ransomware exploitation.
Timeline
-
30.01.2026 09:09 2 articles · 3mo ago
Build 9511 patches SmarterMail RCE
Mitigation Patch UpdateSmarterTools released Build 9511 for SmarterMail on January 15, 2026, fixing CVE-2026-24423, an unauthenticated remote code execution flaw in the ConnectToHub API method affecting versions prior to Build 9511.
Show sources
- SmarterMail Fixes Critical Unauthenticated RCE Flaw with CVSS 9.3 Score — thehackernews.com — 30.01.2026 09:09
- Warlock Ransomware Breaches SmarterTools Through Unpatched SmarterMail Server — thehackernews.com — 10.02.2026 12:24
-
30.01.2026 09:09 2 articles · 3mo ago
SmarterTools publicly describes the RCE flaw
Initial DisclosureOn January 30, 2026, SmarterTools publicly described CVE-2026-24423 in SmarterMail versions prior to Build 9511, noting the unauthenticated remote code execution flaw in the ConnectToHub API method and crediting watchTowr, CODE WHITE GmbH, and VulnCheck researchers with discovering and reporting it.
Show sources
- SmarterMail Fixes Critical Unauthenticated RCE Flaw with CVSS 9.3 Score — thehackernews.com — 30.01.2026 09:09
- SmarterMail Fixes Critical Unauthenticated RCE Flaw with CVSS 9.3 Score — thehackernews.com — 30.01.2026 09:09