56/69 Thursday, January 29, 2026
Shadowserver has reported the detection of more than 6,000 SmarterMail servers that are exposed to the internet and are likely affected by a critical authentication bypass vulnerability, tracked as CVE-2026-23760. The vulnerability was disclosed by cybersecurity firm watchTowr on January 8, 2026, and was patched by SmarterTools on January 15, 2026. It affects SmarterMail versions prior to build 9511.
The vulnerability resides in the password reset API, specifically the force-reset-password endpoint, which allows unauthenticated requests and fails to verify either the existing password or a reset token. As a result, an attacker can simply specify an administrator username and set a new password directly, leading to full administrative compromise of the SmarterMail instance. Researchers at watchTowr released a proof-of-concept (PoC) exploit that requires only the administrator username, and Shadowserver has confirmed that active exploitation attempts targeting this flaw have already been observed.
Shadowserver’s scan data shows that the majority of vulnerable servers are located in the United States (approximately 4,100 systems), followed by Malaysia, India, Canada, and the United Kingdom. In response to confirmed exploitation, the U.S. Cybersecurity and Infrastructure Security Agency (CISA) has added CVE-2026-23760 to its Known Exploited Vulnerabilities (KEV) Catalog and mandated that U.S. federal civilian executive branch (FCEB) agencies remediate the issue by February 16, 2026. Organizations and system administrators are strongly urged to immediately upgrade SmarterMail to a patched version to reduce the risk of system takeover and large-scale compromise.
