SmarterTools heeft kwetsbaarheden verholpen in SmarterMail. Een kwaadwillende kan de kwetsbaarheden misbruiken om authenticatie te omzeilen en willekeurige code…

Published:

6 februari 2026 om 09:25:57

Alert date:

27 januari 2026 om 11:02:15

Source:

ncsc.nl

Email & Messaging, Zero-Day Vulnerabilities, Identity & Access

SmarterTools fixed critical vulnerabilities in SmarterMail allowing authentication bypass and remote code execution with administrator/SYSTEM privileges. CVE-2026-23760 allows password reset via API endpoint without authentication. CVE-2026-24423 enables RCE through malicious HTTP server. Both vulnerabilities are actively exploited in the wild. CISA added CVE-2026-23760 to Known Exploited Vulnerabilities list with public PoC available.

Technical details

Vulnerabilities allow attackers to bypass authentication and execute arbitrary code with administrator or SYSTEM privileges. Attack vector includes access to API interface, specifically the /api/v1/auth/force-reset-password endpoint, allowing password reset of administrator accounts without prior authentication through specially crafted HTTP requests. Additionally, attackers can set up malicious HTTP servers to mislead victims into visiting them to execute arbitrary code on vulnerable servers. CVE-2026-23760 has published Proof-of-Concept code and is actively being exploited. CVE-2026-24423 is also being exploited for arbitrary code execution, requiring attacker-controlled server but no public PoC available yet.

Mitigation steps:

Apply updates released by SmarterTools to remediate the vulnerabilities. Investigate SmarterMail environment and specifically check if administrator account passwords have been recently changed. Monitor for unauthorized access to the API interface and suspicious HTTP requests to the force-reset-password endpoint.

Affected products:

SmarterTools SmarterMail