cbcvebase.
CVE-2026-23760
published 2026-01-22

CVE-2026-23760: SmarterTools SmarterMail versions prior to build 9511 contain an authentication bypass vulnerability in the password reset API. The force-reset-password…

PriorityP1100critical9.8CVSS 3.1
AVNACLPRNUINSUCHIHAH
KEVITWEXPLOITRansomware
CISA Known Exploited Vulnerabilitydue 2026-02-16
Exploited in the wild
EPSS
96.27%
99.9th percentile
SmarterTools SmarterMail versions prior to build 9511 contain an authentication bypass vulnerability in the password reset API. The force-reset-password endpoint permits anonymous requests and fails to verify the existing password or a reset token when resetting system administrator accounts. An unauthenticated attacker can supply a target administrator username and a new password to reset the account, resulting in full administrative compromise of the SmarterMail instance. NOTE: SmarterMail system administrator privileges grant the ability to execute operating system commands via built-in management functionality, effectively providing administrative (SYSTEM or root) access on the underlying host.

Affected

1 ranges
VendorProductVersion rangeFixed in
smartertoolssmartermail< 100.0.9511100.0.9511

Detection & IOCsextracted from sources · hover to see the quote

pathC:\Program Files (x86)\SmarterTools\SmarterMail\Service\wwwroot\result.txt
url/api/v1/auth/force-reset-password
url/api/v1/auth/authenticate-user
url/api/v1/settings/sysadmin/event-hook
url/api/v1/settings/sysadmin/domain-put
url/api/v1/settings/sysadmin/event-hook-delete
  • Detect exploitation attempts by monitoring for HTTP POST requests to /api/v1/auth/force-reset-password from unauthenticated sources; this endpoint should never be called anonymously in normal operation.
  • Alert on the attack chain sequence: rapid successive POST requests to force-reset-password → authenticate-user → event-hook → domain-put, all originating from the same source IP, as this pattern indicates mass automated exploitation.
  • Flag HTTP requests carrying the User-Agent string 'python-requests/2.32.4' targeting SmarterMail API endpoints as a high-fidelity indicator of the observed attack tooling.
  • Hunt for the presence of result.txt under the SmarterMail wwwroot directory as evidence of successful post-exploitation reconnaissance output written to disk.
  • Monitor SmarterMail application logs for creation of System Events (event-hook API calls) immediately following an admin password reset, as attackers use this to achieve RCE via OS command execution triggered by domain-add events.
  • Check Point IPS signature 'SmarterTools SmarterMail Authentication Bypass (CVE-2026-23760)' can be used for network-level detection.
  • ·The vulnerability only affects SmarterMail builds prior to 9511; build 9511 (released January 15, 2026) contains the fix. Ensure version detection logic targets builds < 9511.
  • ·The attack only requires knowledge of the administrator account's username — no password or token is needed — meaning low-complexity brute-force or enumeration of usernames is sufficient for exploitation.
  • ·SmarterMail system administrator privileges grant OS-level command execution via built-in management functionality, meaning account takeover directly translates to full host compromise (SYSTEM/root).
  • ·The user-agent 'python-requests/2.32.4' is a default value for the Python requests library and may produce false positives from legitimate automation; correlate with targeted API endpoint patterns for higher fidelity.

CVSS provenance

nvdv3.19.8CRITICALCVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
nvdv4.09.3CRITICALCVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
vulncheck9.3CRITICAL
cisa9.3CRITICAL
CVEs like this are exactly what “Exploited This Week” covers.

Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.