CVE-2026-23760
published 2026-01-22CVE-2026-23760: SmarterTools SmarterMail versions prior to build 9511 contain an authentication bypass vulnerability in the password reset API. The force-reset-password…
PriorityP1100critical9.8CVSS 3.1
AVNACLPRNUINSUCHIHAH
KEVITWEXPLOITRansomware
CISA Known Exploited Vulnerabilitydue 2026-02-16
Exploited in the wild
EPSS
96.27%
99.9th percentile
SmarterTools SmarterMail versions prior to build 9511 contain an authentication bypass vulnerability in the password reset API. The force-reset-password endpoint permits anonymous requests and fails to verify the existing password or a reset token when resetting system administrator accounts. An unauthenticated attacker can supply a target administrator username and a new password to reset the account, resulting in full administrative compromise of the SmarterMail instance. NOTE: SmarterMail system administrator privileges grant the ability to execute operating system commands via built-in management functionality, effectively providing administrative (SYSTEM or root) access on the underlying host.
Affected
1 ranges
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| smartertools | smartermail | < 100.0.9511 | 100.0.9511 |
Detection & IOCsextracted from sources · hover to see the quote
- →Detect exploitation attempts by monitoring for HTTP POST requests to /api/v1/auth/force-reset-password from unauthenticated sources; this endpoint should never be called anonymously in normal operation. ↗
- →Alert on the attack chain sequence: rapid successive POST requests to force-reset-password → authenticate-user → event-hook → domain-put, all originating from the same source IP, as this pattern indicates mass automated exploitation. ↗
- →Flag HTTP requests carrying the User-Agent string 'python-requests/2.32.4' targeting SmarterMail API endpoints as a high-fidelity indicator of the observed attack tooling. ↗
- →Hunt for the presence of result.txt under the SmarterMail wwwroot directory as evidence of successful post-exploitation reconnaissance output written to disk. ↗
- →Monitor SmarterMail application logs for creation of System Events (event-hook API calls) immediately following an admin password reset, as attackers use this to achieve RCE via OS command execution triggered by domain-add events. ↗
- →Check Point IPS signature 'SmarterTools SmarterMail Authentication Bypass (CVE-2026-23760)' can be used for network-level detection. ↗
- ·The vulnerability only affects SmarterMail builds prior to 9511; build 9511 (released January 15, 2026) contains the fix. Ensure version detection logic targets builds < 9511. ↗
- ·The attack only requires knowledge of the administrator account's username — no password or token is needed — meaning low-complexity brute-force or enumeration of usernames is sufficient for exploitation. ↗
- ·SmarterMail system administrator privileges grant OS-level command execution via built-in management functionality, meaning account takeover directly translates to full host compromise (SYSTEM/root). ↗
- ·The user-agent 'python-requests/2.32.4' is a default value for the Python requests library and may produce false positives from legitimate automation; correlate with targeted API endpoint patterns for higher fidelity. ↗
CVSS provenance
nvdv3.19.8CRITICALCVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
nvdv4.09.3CRITICALCVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
vulncheck9.3CRITICAL
cisa9.3CRITICAL
CVEs like this are exactly what “Exploited This Week” covers.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
GHSA
GHSA-mj6x-679w-76wr: SmarterTools SmarterMail versions prior to build 9511 contain an authentication bypass vulnerability in the password reset API
ghsa_unreviewed·2026-01-22
CVE-2026-23760 [CRITICAL] CWE-288 GHSA-mj6x-679w-76wr: SmarterTools SmarterMail versions prior to build 9511 contain an authentication bypass vulnerability in the password reset API
SmarterTools SmarterMail versions prior to build 9511 contain an authentication bypass vulnerability in the password reset API. The force-reset-password endpoint permits anonymous requests and fails to verify the existing password or a reset token when resetting system administrator accounts. An unauthenticated attacker can supply a target administrator username and a new password to reset the account, resulting in full administrative compromise of the SmarterMail instance.
VulnCheck
SmarterTools SmarterMail Authentication Bypass Using an Alternate Path or Channel Vulnerability
vulncheck·2026·CVSS 9.3
CVE-2026-23760 [CRITICAL] CWE-288 SmarterTools SmarterMail Authentication Bypass Using an Alternate Path or Channel Vulnerability
SmarterTools SmarterMail Authentication Bypass Using an Alternate Path or Channel Vulnerability
SmarterTools SmarterMail contains an authentication bypass using an alternate path or channel vulnerability in the password reset API. The force-reset-password endpoint permits anonymous requests and fails to verify the existing password or a reset token when resetting system administrator accounts. This could allow an unauthenticated attacker to supply a target administrator username and a new password to reset the account, resulting in full administrative compromise of the SmarterMail instance.
Affected: SmarterTools SmarterMail
Required Action: Apply mitigations per vendor instructions, follow applicable BOD 22-01 guidance for cloud services, or discontinue use of the product if mitigation
CISA
SmarterTools SmarterMail Authentication Bypass Using an Alternate Path or Channel Vulnerability
cisa·2026-01-26·CVSS 9.3
CVE-2026-23760 [CRITICAL] CWE-288 SmarterTools SmarterMail Authentication Bypass Using an Alternate Path or Channel Vulnerability
Vulnerability: SmarterTools SmarterMail Authentication Bypass Using an Alternate Path or Channel Vulnerability
Affected: SmarterTools SmarterMail
SmarterTools SmarterMail contains an authentication bypass using an alternate path or channel vulnerability in the password reset API. The force-reset-password endpoint permits anonymous requests and fails to verify the existing password or a reset token when resetting system administrator accounts. This could allow an unauthenticated attacker to supply a target administrator username and a new password to reset the account, resulting in full administrative compromise of the SmarterMail instance.
Required Action: Apply mitigations per vendor instructions, follow applicable BOD 22-01 guidance for cloud services, or discontinue use of the product
Suricata
ET WEB_SPECIFIC_APPS SmarterTools SmarterMail Authentication Bypass (CVE-2026-23760)
suricata·2026-01-27·CVSS 9.3
CVE-2026-23760 [CRITICAL] ET WEB_SPECIFIC_APPS SmarterTools SmarterMail Authentication Bypass (CVE-2026-23760)
ET WEB_SPECIFIC_APPS SmarterTools SmarterMail Authentication Bypass (CVE-2026-23760)
Rule: alert http any any -> $HOME_NET any (msg:"ET WEB_SPECIFIC_APPS SmarterTools SmarterMail Authentication Bypass (CVE-2026-23760)"; flow:established,to_server; http.method; content:"POST"; http.uri; content:"/api/v1/auth/force-reset-password"; fast_pattern; http.request_body; content:"|22|IsSysAdmin|22 3a|"; content:"|22|true|22|"; within:7; reference:url,labs.watchtowr.com/attackers-with-decompilers-strike-again-smartertools-smartermail-wt-2026-0001-auth-bypass/; reference:cve,2026-23760; classtype:web-application-attack; sid:2067124; rev:2; metadata:affected_product SmarterTools_SmarterMail, attack_target Server, tls_state TLSDecrypt, created_at 2026_01_27, cve CVE_2026_23760, deployment Perimeter, d
Nuclei
SmarterTools SmarterMail - Admin Password Reset
nuclei·CVSS 9.3
CVE-2026-23760 [CRITICAL] SmarterTools SmarterMail - Admin Password Reset
SmarterTools SmarterMail - Admin Password Reset
Detected a SmartMail admin password reset vulnerability by sending a POST request to the `/api/v1/auth/force-reset-password` endpoint, indicating that administrative password resets could potentially be triggered without proper authorization.
Template:
id: CVE-2026-23760
info:
name: SmarterTools SmarterMail - Admin Password Reset
author: watchTowr,DhiyaneshDk
severity: critical
description: |
Detected a SmartMail admin password reset vulnerability by sending a POST request to the `/api/v1/auth/force-reset-password` endpoint, indicating that administrative password resets could potentially be triggered without proper authorization.
impact: |
Unauthenticated attackers can reset administrator passwords, leading to full administrative comprom
Hackernews
China-Linked Storm-1175 Exploits Zero-Days to Rapidly Deploy Medusa Ransomware
blogs_hackernews·2026-04-07·CVSS 8.8
[HIGH] China-Linked Storm-1175 Exploits Zero-Days to Rapidly Deploy Medusa Ransomware
Home
Threat Intelligence
Vulnerabilities
Cyber Attacks
Webinars
Expert Insights
Awards
Webinars
Awards
Free eBooks
About THN
Jobs
Advertise with us
## China-Linked Storm-1175 Exploits Zero-Days to Rapidly Deploy Medusa Ransomware
A China-based threat actor known for deploying Medusa ransomware has been linked to the weaponization of a combination of zero-day and N-day vulnerabilities to orchestrate "high-velocity" attacks and break into susceptible internet-facing systems.
"The threat actor's high operational tempo and proficiency in identifying exposed perimeter assets have proven successful, with recent intrusions heavily impacting healthcare organizations, as well as those in the education, professional services, and finance sectors in Australia, the United Kingdom, and
Bleepingcomputer
Microsoft links Medusa ransomware affiliate to zero-day attacks
blogs_bleepingcomputer·2026-04-06·CVSS 8.8
[HIGH] Microsoft links Medusa ransomware affiliate to zero-day attacks
## Microsoft links Medusa ransomware affiliate to zero-day attacks
## Sergiu Gatlan
"The threat actor's high operational tempo and proficiency in identifying exposed perimeter assets have proven successful, with recent intrusions heavily impacting healthcare organizations, as well as those in the education, professional services, and finance sectors in Australia, United Kingdom, and United States."
Microsoft has also observed Storm-1175 operators chaining multiple exploits to gain persistence on compromised systems by creating new user accounts, deploying remote monitoring and management software, stealing credentials, and disabling security software before dropping ransomware payloads.
In October, Microsoft reported that Storm-1175 had been exploiting a maximum-severity GoAnywhere MFT
Recorded Future
February 2026 CVE Landscape: 13 Critical Vulnerabilities Mark 43% Drop from January
blogs_recorded_future·2026-03-12·CVSS 7.7
[HIGH] February 2026 CVE Landscape: 13 Critical Vulnerabilities Mark 43% Drop from January
## February 2026 CVE Landscape:13 Critical Vulnerabilities Mark 43% Drop from January
February 2026 saw a 43% decrease in high-impact vulnerabilities, with Recorded Future's Insikt Group® identifying 13 vulnerabilities requiring immediate remediation, down from 23 in January 2026 . All 13 carried a ‘Very Critical’ Recorded Future Risk Score.
What security teams need to know:
Microsoft dominates: Six of 13 vulnerabilities affected Microsoft products, accounting for 46% of February's findings; all were added to CISA's KEV catalog on the same day
Supply-chain attack on Notepad++: Lotus Blossom, a suspected China state-sponsored threat actor, exploited CVE-2025-15556 to hijack Notepad++'s update channel and deliver a Cobalt Strike Beacon and the Chrysalis backdoor
APT28 exploits MSHTML fl
Recorded Future
January 2026 CVE Landscape: 23 Critical Vulnerabilities Mark 5% Increase, APT28 Exploits Microsoft Office Zero-Day
blogs_recorded_future·2026-02-24·CVSS 7.8
[HIGH] January 2026 CVE Landscape: 23 Critical Vulnerabilities Mark 5% Increase, APT28 Exploits Microsoft Office Zero-Day
## January 2026 CVE Landscape: 23 Critical Vulnerabilities Mark 5% Increase, APT28 Exploits Microsoft Office Zero-Day
January 2026 saw a modest 5% increase in high-impact vulnerabilities, with Recorded Future's Insikt Group® identifying 23 vulnerabilities requiring immediate remediation, up from 22 in December 2025. Noteworthy trends last month included Russian state-sponsored exploitation of a Microsoft Office zero-day and critical authentication bypass flaws affecting enterprise infrastructure.
What security teams need to know:
APT28's Operation Neusploit: Russian state-sponsored actors exploited CVE-2026-21509 (Microsoft Office) via weaponized RTF files, delivering MiniDoor, PixyNetLoader, and Covenant Grunt implants
Microsoft and SmarterTools lead concerns: These vendors accounted
Bleepingcomputer
Telegram channels expose rapid weaponization of SmarterMail flaws
blogs_bleepingcomputer·2026-02-18·CVSS 9.3
[CRITICAL] Telegram channels expose rapid weaponization of SmarterMail flaws
## Telegram channels expose rapid weaponization of SmarterMail flaws
## Flare
Flare researchers monitoring underground Telegram channels and cybercrime forums have observed threat actors rapidly sharing proof-of-concept exploits, offensive tools, and stolen administrator credentials related to recently disclosed SmarterMail vulnerabilities, providing insight into how quickly attackers weaponize new security flaws.
The activity occurred within days of the vulnerabilities being disclosed, with threat actors sharing and selling exploit code and compromised access tied to CVE-2026-24423 and CVE-2026-23760, critical flaws that enable remote code execution and authentication bypass on exposed email servers.
These vulnerabilities have since been confirmed in real-world attacks, including rans
Bleepingcomputer
Hackers breach SmarterTools network using flaw in its own software
blogs_bleepingcomputer·2026-02-09·CVSS 9.3
[CRITICAL] Hackers breach SmarterTools network using flaw in its own software
## Hackers breach SmarterTools network using flaw in its own software
## Bill Toulas
SmarterTools confirmed last week that the Warlock ransomware gang breached its network after compromising an email system, but it did not impact business applications or account data.
The company's Chief Commercial Officer, Derek Curtis, says that the intrusion occurred on January 29, via a single SmarterMail virtual machine (VM) set up by an employee.
"Prior to the breach, we had approximately 30 servers/VMs with SmarterMail installed throughout our network," Curtis explained .
“Unfortunately, we were unaware of one VM, set up by an employee, that was not being updated. As a result, that mail server was compromised, which led to the breach.”
Although SmarterTools assures that customer data wasn’t di
Checkpoint
2nd February – Threat Intelligence Report
blogs_checkpoint·2026-02-02
CVE-2025-8088 2nd February – Threat Intelligence Report
Latest Publications
CPR Podcast Channel
AI Research
Web 3.0 Security
Intelligence Reports
ThreatCloud AI
Threat Intelligence & Research
Zero Day Protection
Sandblast File Analysis
About Us
SUBSCRIBE
2026
2025
2024
2023
2022
2021
2020
2019
2018
2017
2016
## 2nd February – Threat Intelligence Report
For the latest discoveries in cyber research for the week of 2nd February, please download our Threat Intelligence Bulletin.
TOP ATTACKS AND BREACHES
MicroWorld Technologies, maker of eScan antivirus, has suffered a supply-chain compromise. Malicious updates were pushed via the legitimate eScan updater, delivering multi-stage malware that establishes persistence, enables remote access, and blocks automatic updates. In response, eScan shut down its global update service
Bleepingcomputer
Over 6,000 SmarterMail servers exposed to automated hijacking attacks
blogs_bleepingcomputer·2026-01-27·CVSS 10.0
[CRITICAL] Over 6,000 SmarterMail servers exposed to automated hijacking attacks
## Over 6,000 SmarterMail servers exposed to automated hijacking attacks
## Sergiu Gatlan
Nonprofit security organization Shadowserver has found over 6,000 SmarterMail servers exposed online and likely vulnerable to attacks exploiting a critical authentication bypass vulnerability.
Cybersecurity company watchTowr reported the security flaw to developer SmarterTools on January 8 , which released a fix on January 15 without assigning an identifier.
The vulnerability was later assigned CVE-2026-23760 and rated critical severity, as it allows unauthenticated attackers to hijack admin accounts and gain remote code execution on the host, enabling them to take control of vulnerable servers.
"SmarterTools SmarterMail versions prior to build 9511 contain an authentication bypass vulnerability
Huntress
Huntress Catches SmarterMail Account Takeover Leading to RCE
blogs_huntress·2026-01-22·CVSS 10.0
CVE-2026-23760 [CRITICAL] Huntress Catches SmarterMail Account Takeover Leading to RCE
## Background / Summary
The Huntress DE&TH (Detection Engineering and Threat Hunting) Team has observed in-the-wild exploitation of a privileged account takeover vulnerability ( CVE-2026-23760 ) in SmarterTool’s SmarterMail application that has resulted in successful remote code execution. Our testing has indicated that versions of SmarterMail prior to Build 9511 are vulnerable. Users of SmarterMail are urged to upgrade to the latest version, Build 9511 , released on January 15, 2026.
Note that this is separate from the ongoing mass exploitation of CVE-2025-52691, an arbitrary file upload vulnerability in SmarterMail that also leads to remote code execution. At the time of writing Huntress contacted SmarterTools and held off publishing whilst CVE-2026-23760 was published as it was alread
Bleepingcomputer
SmarterMail auth bypass flaw now exploited to hijack admin accounts
blogs_bleepingcomputer·2026-01-22
SmarterMail auth bypass flaw now exploited to hijack admin accounts
## SmarterMail auth bypass flaw now exploited to hijack admin accounts
## Bill Toulas
Hackers began exploiting an authentication bypass vulnerability in SmarterTools' SmarterMail email server and collaboration tool that allows resetting admin passwords.
An authentication bypass vulnerability in SmarterTools SmarterMail, which allows unauthenticated attackers to reset the system administrator password and obtain full privileges, is now actively exploited in the wild.
The issue resides in the force-reset-password API endpoint, which is intentionally exposed without authentication.
Researchers at cybersecurity company watchTowr reported the issue on January 8, and SmarterMail released a fix on January 15 without an identifier being assigned.
After the issue was addressed, the researcher
Wiz
CVE-2026-24423 Impact, Exploitability, and Mitigation Steps | Wiz
blogs_wiz·CVSS 10.0
CVE-2026-24423 [CRITICAL] CVE-2026-24423 Impact, Exploitability, and Mitigation Steps | Wiz
## CVE-2026-24423 :
SmarterTools SmarterMail vulnerability analysis and mitigation
SmarterTools SmarterMail versions prior to build 9511 contain an unauthenticated remote code execution vulnerability in the ConnectToHub API method. The attacker could point the SmarterMail to the malicious HTTP server, which serves the malicious OS command. This command will be executed by the vulnerable application.
Source : NVD
## 9.3
Score
Published January 23, 2026
Severity CRITICAL
CNA Score 9.3
Affected Technologies
SmarterTools SmarterMail
Has Public Exploit Yes
Has CISA KEV Exploit Yes
CISA KEV Release Date N/A
CISA KEV Due Date N/A
Exploitation Probability Percentile (EPSS) 98.5
Exploitation Probability (EPSS) 66.4
Affected packages and libraries
cpe:2.3:a:smartertools:smarterma
Wiz
CVE-2025-52691 Impact, Exploitability, and Mitigation Steps | Wiz
blogs_wiz·CVSS 10.0
CVE-2025-52691 [CRITICAL] CVE-2025-52691 Impact, Exploitability, and Mitigation Steps | Wiz
## CVE-2025-52691 :
SmarterTools SmarterMail vulnerability analysis and mitigation
Successful exploitation of the vulnerability could allow an unauthenticated attacker to upload arbitrary files to any location on the mail server, potentially enabling remote code execution.
Source : NVD
## 10
Score
Published December 29, 2025
Severity CRITICAL
CNA Score 10.0
Affected Technologies
SmarterTools SmarterMail
Has Public Exploit Yes
Has CISA KEV Exploit Yes
CISA KEV Release Date N/A
CISA KEV Due Date N/A
Exploitation Probability Percentile (EPSS) 99.4
Exploitation Probability (EPSS) 87.3
Affected packages and libraries
cpe:2.3:a:smartertools:smartermail
Sources
Windows Severity CRITICAL Has Fix Added at: Jan 02, 2026
Windows Severity CRITICAL Has Fix Added at: Jan 04, 2026
Huntress
Huntress Catches SmarterMail Account Takeover Leading to RCE | Huntress
blogs_huntress·CVSS 10.0
CVE-2026-23760 [CRITICAL] Huntress Catches SmarterMail Account Takeover Leading to RCE | Huntress
## Background / Summary
The Huntress DE&TH (Detection Engineering and Threat Hunting) Team has observed in-the-wild exploitation of a privileged account takeover vulnerability (CVE-2026-23760) in SmarterTool’s SmarterMail application that has resulted in successful remote code execution. Our testing has indicated that versions of SmarterMail prior to Build 9511 are vulnerable. Users of SmarterMail are urged to upgrade to the latest version, Build 9511, released on January 15, 2026.
Note that this is separate from the ongoing mass exploitation of CVE-2025-52691, an arbitrary file upload vulnerability in SmarterMail that also leads to remote code execution. At the time of writing Huntress contacted SmarterTools and held off publishing whilst CVE-2026-23760 was published as it was already i
Wiz
CVE-2026-26930 Impact, Exploitability, and Mitigation Steps | Wiz
blogs_wiz·CVSS 10.0
CVE-2026-26930 [CRITICAL] CVE-2026-26930 Impact, Exploitability, and Mitigation Steps | Wiz
## CVE-2026-26930 :
SmarterTools SmarterMail vulnerability analysis and mitigation
SmarterTools SmarterMail before 9526 allows XSS via MAPI requests.
Source : NVD
## 7.2
Score
Published February 16, 2026
Severity HIGH
CNA Score 7.2
Affected Technologies
SmarterTools SmarterMail
Has Public Exploit Yes
Has CISA KEV Exploit No
CISA KEV Release Date N/A
CISA KEV Due Date N/A
Exploitation Probability Percentile (EPSS) 2.3
Exploitation Probability (EPSS) N/A
Affected packages and libraries
cpe:2.3:a:smartertools:smartermail
Sources
NVD
Windows Severity HIGH Has Fix Added at: Feb 16, 2026
## Get a CVE risk assessment
Get a prioritized view of CVEs in your cloud—so you can focus on what's exploitable, not just what's listed.
## Related SmarterTools SmarterMail vulnerab
Wiz
CVE-2026-25067 Impact, Exploitability, and Mitigation Steps | Wiz
blogs_wiz·CVSS 10.0
CVE-2026-25067 [CRITICAL] CVE-2026-25067 Impact, Exploitability, and Mitigation Steps | Wiz
## CVE-2026-25067 :
SmarterTools SmarterMail vulnerability analysis and mitigation
SmarterTools SmarterMail versions prior to build 9518 contain an unauthenticated path coercion vulnerability in the background-of-the-day preview endpoint. The application base64-decodes attacker-supplied input and uses it as a filesystem path without validation. On Windows systems, this allows UNC paths to be resolved, causing the SmarterMail service to initiate outbound SMB authentication attempts to attacker-controlled hosts. This can be abused for credential coercion, NTLM relay attacks, and unauthorized network authentication.
Source : NVD
## 6.9
Score
Published January 29, 2026
Severity MEDIUM
CNA Score 6.9
Affected Technologies
SmarterTools SmarterMail
Has Public Exploit No
Has CISA KEV
Wiz
CVE-2026-23760 Impact, Exploitability, and Mitigation Steps | Wiz
blogs_wiz·CVSS 10.0
CVE-2026-23760 [CRITICAL] CVE-2026-23760 Impact, Exploitability, and Mitigation Steps | Wiz
## CVE-2026-23760 :
SmarterTools SmarterMail vulnerability analysis and mitigation
SmarterTools SmarterMail versions prior to build 9511 contain an authentication bypass vulnerability in the password reset API. The force-reset-password endpoint permits anonymous requests and fails to verify the existing password or a reset token when resetting system administrator accounts. An unauthenticated attacker can supply a target administrator username and a new password to reset the account, resulting in full administrative compromise of the SmarterMail instance. NOTE: SmarterMail system administrator privileges grant the ability to execute operating system commands via built-in management functionality, effectively providing administrative (SYSTEM or root) access on the underlying host.
Source
Recorded Future
February 2026 CVE Landscape: 13 Critical Vulnerabilities Mark 43% Drop from January
blogs_recorded_future·CVSS 7.7
[HIGH] February 2026 CVE Landscape: 13 Critical Vulnerabilities Mark 43% Drop from January
# February 2026 CVE Landscape:13 Critical Vulnerabilities Mark 43% Drop from January
February 2026 saw a 43% decrease in high-impact vulnerabilities, with Recorded Future's Insikt Group® identifying 13 vulnerabilities requiring immediate remediation, down from 23 in January 2026. All 13 carried a ‘Very Critical’ Recorded Future Risk Score.
What security teams need to know:
- Microsoft dominates: Six of 13 vulnerabilities affected Microsoft products, accounting for 46% of February's findings; all were added to CISA's KEV catalog on the same day
- Supply-chain attack on Notepad++: Lotus Blossom, a suspected China state-sponsored threat actor, exploited CVE-2025-15556 to hijack Notepad++'s update channel and deliver a Cobalt Strike Beacon and the Chrysalis backdoor
- APT28 exploits MSHTML
Recorded Future
January 2026 CVE Landscape: 23 Critical Vulnerabilities Mark 5% Increase, APT28 Exploits Microsoft Office Zero-Day
blogs_recorded_future·CVSS 4.9
[MEDIUM] January 2026 CVE Landscape: 23 Critical Vulnerabilities Mark 5% Increase, APT28 Exploits Microsoft Office Zero-Day
# January 2026 CVE Landscape: 23 Critical Vulnerabilities Mark 5% Increase, APT28 Exploits Microsoft Office Zero-Day
January 2026 saw a modest 5% increase in high-impact vulnerabilities, with Recorded Future's Insikt Group® identifying 23 vulnerabilities requiring immediate remediation, up from 22 in December 2025. Noteworthy trends last month included Russian state-sponsored exploitation of a Microsoft Office zero-day and critical authentication bypass flaws affecting enterprise infrastructure.
What security teams need to know:
- APT28's Operation Neusploit: Russian state-sponsored actors exploited CVE-2026-21509 (Microsoft Office) via weaponized RTF files, delivering MiniDoor, PixyNetLoader, and Covenant Grunt implants
- Microsoft and SmarterTools lead concerns: These vendors accounte
https://code-white.com/public-vulnerability-list/#authenticationserviceforceresetpassword-missing-authentication-in-smartermailhttps://labs.watchtowr.com/attackers-with-decompilers-strike-again-smartertools-smartermail-wt-2026-0001-auth-bypass/https://www.smartertools.com/smartermail/release-notes/currenthttps://www.vulncheck.com/advisories/smartertools-smartermail-authentication-bypass-via-password-reset-apihttps://www.cisa.gov/known-exploited-vulnerabilities-catalog?field_cve=CVE-2026-23760https://www.huntress.com/blog/smartermail-account-takeover-leading-to-rce
2026-01-22
Published
2026-01-26
Added to CISA KEV
Exploited in the wild