62/69 Monday, February 2, 2026
SmarterTools has released security updates to address two vulnerabilities in its SmarterMail email software, one of which is a critical flaw, tracked as CVE-2026-24423, with a CVSS score of 9.3. This vulnerability could allow attackers to execute malicious code on affected systems. The issue stems from the ConnectToHub API method in SmarterMail versions prior to Build 9511, which allows unauthenticated attackers to direct the system to connect to a malicious HTTP server that serves embedded operating system commands, resulting in arbitrary command execution.
The vulnerability was reported by multiple security researchers, including Sina Kheirkhah and Piotr Bazydlo of watchTowr, Markus Wulftange of CODE WHITE GmbH, and Cale Black of VulnCheck. SmarterTools has resolved the issue in SmarterMail Build 9511 and strongly recommends that users update their systems as soon as possible to mitigate the risk.
In addition, SmarterTools also fixed another high-severity vulnerability, CVE-2026-23760, also with a CVSS score of 9.3, which has been reported as actively exploited in the wild. This flaw is an authentication bypass in the password reset API, allowing unauthenticated attackers to reset administrator account passwords, resulting in full compromise of the SmarterMail system. The U.S. Cybersecurity and Infrastructure Security Agency (CISA) has added CVE-2026-23760 to its Known Exploited Vulnerabilities (KEV) Catalog and has mandated that affected U.S. federal agencies remediate the issue by February 16, 2026, to reduce the risk of exploitation.