CVE-2026-24423
published 2026-01-23CVE-2026-24423: SmarterTools SmarterMail versions prior to build 9511 contain an unauthenticated remote code execution vulnerability in the ConnectToHub API method. The…
PriorityP1100critical9.8CVSS 3.1
AVNACLPRNUINSUCHIHAH
KEVITWEXPLOITRansomware
CISA Known Exploited Vulnerabilitydue 2026-02-26
Exploited in the wild
EPSS
87.69%
99.7th percentile
SmarterTools SmarterMail versions prior to build 9511 contain an unauthenticated remote code execution vulnerability in the ConnectToHub API method. The attacker could point the SmarterMail to the malicious HTTP server, which serves the malicious OS command. This command will be executed by the vulnerable application.
Affected
1 ranges
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| smartertools | smartermail | < 100.0.9511 | 100.0.9511 |
Detection & IOCsextracted from sources · hover to see the quote
- →Check Point IPS signature available for this CVE: 'SmarterTools SmarterMail Remote Code Execution (CVE-2026-24423)' ↗
- →The exploit chain involves SmarterMail making an outbound HTTP request to an attacker-controlled server; monitor for unexpected outbound HTTP connections originating from the SmarterMail service process. ↗
- →Over 6,000 exposed SmarterMail servers are reportedly vulnerable; prioritize internet-facing SmarterMail instances for patching and detection coverage. ↗
- ·Vulnerability is present in SmarterMail builds prior to 9511; build 9511 or later is required to remediate CVE-2026-24423. ↗
- ·The vulnerability is unauthenticated, meaning no credentials are required for exploitation; all internet-exposed SmarterMail instances below build 9511 are at risk. ↗
CVSS provenance
nvdv3.19.8CRITICALCVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
nvdv4.09.3CRITICALCVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
vulncheck9.3CRITICAL
cisa9.3CRITICAL
CVEs like this are exactly what “Exploited This Week” covers.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
GHSA
GHSA-7jpw-fm5p-f98m: SmarterTools SmarterMail versions prior to build 9511 contain an unauthenticated remote code execution vulnerability in the ConnectToHub API method
ghsa_unreviewed·2026-01-23
CVE-2026-24423 [CRITICAL] CWE-306 GHSA-7jpw-fm5p-f98m: SmarterTools SmarterMail versions prior to build 9511 contain an unauthenticated remote code execution vulnerability in the ConnectToHub API method
SmarterTools SmarterMail versions prior to build 9511 contain an unauthenticated remote code execution vulnerability in the ConnectToHub API method. The attacker could point the SmarterMail to the malicious HTTP server, which serves the malicious OS command. This command will be executed by the vulnerable application.
VulnCheck
SmarterTools SmarterMail Missing Authentication for Critical Function Vulnerability
vulncheck·2026·CVSS 9.3
CVE-2026-24423 [CRITICAL] CWE-306 SmarterTools SmarterMail Missing Authentication for Critical Function Vulnerability
SmarterTools SmarterMail Missing Authentication for Critical Function Vulnerability
SmarterTools SmarterMail contains a missing authentication for critical function vulnerability in the ConnectToHub API method. This could allow the attacker to point the SmarterMail instance to a malicious HTTP server which serves the malicious OS command and could lead to command execution.
Affected: SmarterTools SmarterMail
Required Action: Apply mitigations per vendor instructions, follow applicable BOD 22-01 guidance for cloud services, or discontinue use of the product if mitigations are unavailable.
Known Ransomware Campaign Use: Known
Exploitation References: https://api.vulncheck.com/v3/index/vulncheck-canaries?cve=CVE-2026-24423&date=2026-01-28; https://api.vulncheck.com/v3/index/vulncheck-can
CISA
SmarterTools SmarterMail Missing Authentication for Critical Function Vulnerability
cisa·2026-02-05·CVSS 9.3
CVE-2026-24423 [CRITICAL] CWE-306 SmarterTools SmarterMail Missing Authentication for Critical Function Vulnerability
Vulnerability: SmarterTools SmarterMail Missing Authentication for Critical Function Vulnerability
Affected: SmarterTools SmarterMail
SmarterTools SmarterMail contains a missing authentication for critical function vulnerability in the ConnectToHub API method. This could allow the attacker to point the SmarterMail instance to a malicious HTTP server which serves the malicious OS command and could lead to command execution.
Required Action: Apply mitigations per vendor instructions, follow applicable BOD 22-01 guidance for cloud services, or discontinue use of the product if mitigations are unavailable.
Notes: https://www.smartertools.com/smartermail/release-notes/current ; https://www.cve.org/CVERecord?id=CVE-2026-24423 ; https://nvd.nist.gov/vuln/detail/CVE-2026-24423
Remediation Due
Suricata
ET WEB_SPECIFIC_APPS SmarterTools SmarterMail ConnectToHub Unauthenticated Remote Code Execution (CVE-2026-24423)
suricata·2026-02-03·CVSS 9.3
CVE-2026-24423 [CRITICAL] ET WEB_SPECIFIC_APPS SmarterTools SmarterMail ConnectToHub Unauthenticated Remote Code Execution (CVE-2026-24423)
ET WEB_SPECIFIC_APPS SmarterTools SmarterMail ConnectToHub Unauthenticated Remote Code Execution (CVE-2026-24423)
Rule: alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET WEB_SPECIFIC_APPS SmarterTools SmarterMail ConnectToHub Unauthenticated Remote Code Execution (CVE-2026-24423)"; flow:established,to_client; http.response_body; content:"|22|ClusterID|22 3a|"; content:"|22|isStandby|22 3a|"; content:"|22|false|22|"; nocase; within:8; content:"|22|SystemMount|22 3a|"; content:"|22|CommandMount|22 3a|"; fast_pattern; reference:url,xz.aliyun.com/news/91523; reference:cve,2026-24423; classtype:web-application-attack; sid:2067266; rev:1; metadata:affected_product SmarterTools_SmarterMail, attack_target Server, tls_state TLSDecrypt, created_at 2026_02_03, cve CVE_2026_24423, deployment Per
Nuclei
SmarterMail - Remote Code Execution
nuclei·CVSS 9.3
CVE-2026-24423 [CRITICAL] SmarterMail - Remote Code Execution
SmarterMail - Remote Code Execution
SmarterTools SmarterMail < build 9511 contains an unauthenticated remote code execution caused by malicious OS command execution via ConnectToHub API method, letting remote attackers execute arbitrary commands, exploit requires no authentication.
Template:
id: CVE-2026-24423
info:
name: SmarterMail - Remote Code Execution
author: jyoti369
severity: critical
description: |
SmarterTools SmarterMail < build 9511 contains an unauthenticated remote code execution caused by malicious OS command execution via ConnectToHub API method, letting remote attackers execute arbitrary commands, exploit requires no authentication.
impact: |
Remote attackers can execute arbitrary OS commands, potentially leading to full system compromise.
remediation: |
Update to buil
Bleepingcomputer
Telegram channels expose rapid weaponization of SmarterMail flaws
blogs_bleepingcomputer·2026-02-18·CVSS 9.3
[CRITICAL] Telegram channels expose rapid weaponization of SmarterMail flaws
## Telegram channels expose rapid weaponization of SmarterMail flaws
## Flare
Flare researchers monitoring underground Telegram channels and cybercrime forums have observed threat actors rapidly sharing proof-of-concept exploits, offensive tools, and stolen administrator credentials related to recently disclosed SmarterMail vulnerabilities, providing insight into how quickly attackers weaponize new security flaws.
The activity occurred within days of the vulnerabilities being disclosed, with threat actors sharing and selling exploit code and compromised access tied to CVE-2026-24423 and CVE-2026-23760, critical flaws that enable remote code execution and authentication bypass on exposed email servers.
These vulnerabilities have since been confirmed in real-world attacks, including rans
Bleepingcomputer
Hackers breach SmarterTools network using flaw in its own software
blogs_bleepingcomputer·2026-02-09·CVSS 9.3
[CRITICAL] Hackers breach SmarterTools network using flaw in its own software
## Hackers breach SmarterTools network using flaw in its own software
## Bill Toulas
SmarterTools confirmed last week that the Warlock ransomware gang breached its network after compromising an email system, but it did not impact business applications or account data.
The company's Chief Commercial Officer, Derek Curtis, says that the intrusion occurred on January 29, via a single SmarterMail virtual machine (VM) set up by an employee.
"Prior to the breach, we had approximately 30 servers/VMs with SmarterMail installed throughout our network," Curtis explained .
“Unfortunately, we were unaware of one VM, set up by an employee, that was not being updated. As a result, that mail server was compromised, which led to the breach.”
Although SmarterTools assures that customer data wasn’t di
Bleepingcomputer
CISA warns of SmarterMail RCE flaw used in ransomware attacks
blogs_bleepingcomputer·2026-02-06·CVSS 9.3
CVE-2026-24423 [CRITICAL] CISA warns of SmarterMail RCE flaw used in ransomware attacks
## CISA warns of SmarterMail RCE flaw used in ransomware attacks
## Bill Toulas
The U.S. Cybersecurity and Infrastructure Security Agency (CISA) is warning that ransomware actors are exploiting CVE-2026-24423, a critical vulnerability in SmarterMail that allows remote code execution without authentication.
SmarterMail is a self-hosted, Windows-based email server and collaboration platform from SmarterTools. The product provides SMTP/IMAP/POP mail services along with webmail, calendars, contacts, and basic groupware functionality.
It is commonly deployed by managed service providers (MSPs), small and medium-sized businesses, and hosting companies offering email services. According to SmarterTools, its products are used by roughly 15 million users across 120 countries.
The CVE-2026-2442
Checkpoint
2nd February – Threat Intelligence Report
blogs_checkpoint·2026-02-02
CVE-2025-8088 2nd February – Threat Intelligence Report
Latest Publications
CPR Podcast Channel
AI Research
Web 3.0 Security
Intelligence Reports
ThreatCloud AI
Threat Intelligence & Research
Zero Day Protection
Sandblast File Analysis
About Us
SUBSCRIBE
2026
2025
2024
2023
2022
2021
2020
2019
2018
2017
2016
## 2nd February – Threat Intelligence Report
For the latest discoveries in cyber research for the week of 2nd February, please download our Threat Intelligence Bulletin.
TOP ATTACKS AND BREACHES
MicroWorld Technologies, maker of eScan antivirus, has suffered a supply-chain compromise. Malicious updates were pushed via the legitimate eScan updater, delivering multi-stage malware that establishes persistence, enables remote access, and blocks automatic updates. In response, eScan shut down its global update service
Wiz
CVE-2026-24423 Impact, Exploitability, and Mitigation Steps | Wiz
blogs_wiz·CVSS 10.0
CVE-2026-24423 [CRITICAL] CVE-2026-24423 Impact, Exploitability, and Mitigation Steps | Wiz
## CVE-2026-24423 :
SmarterTools SmarterMail vulnerability analysis and mitigation
SmarterTools SmarterMail versions prior to build 9511 contain an unauthenticated remote code execution vulnerability in the ConnectToHub API method. The attacker could point the SmarterMail to the malicious HTTP server, which serves the malicious OS command. This command will be executed by the vulnerable application.
Source : NVD
## 9.3
Score
Published January 23, 2026
Severity CRITICAL
CNA Score 9.3
Affected Technologies
SmarterTools SmarterMail
Has Public Exploit Yes
Has CISA KEV Exploit Yes
CISA KEV Release Date N/A
CISA KEV Due Date N/A
Exploitation Probability Percentile (EPSS) 98.5
Exploitation Probability (EPSS) 66.4
Affected packages and libraries
cpe:2.3:a:smartertools:smarterma
Greynoiseio
NoiseLetter March 2026
blogs_greynoiseio
NoiseLetter March 2026
Events, events… and yes, even more events. 🌍 GreyNoise has been on the move. March kept us busy with stops at eCrimes in London and SecIT in Hanover—but we’re just getting started. Over the next few months, we’ll be hitting the road for CrowdStrike CrowdTours across eight cities, heading to Glasgow to speak and sponsor CyberUK, and making our way to Tampa for H-ISAC. If you’ll be at any of these (or nearby), we’d love to connect.
And while we’ve been racking up miles, we haven’t slowed down on the research front. We’ve just released some exciting new findings—with even more coming in the next few weeks—so keep an eye out.
Thanks, as always, for being part of the GreyNoise community.
Featured
About this new report
Every enterprise firewall processes traffic from residential IP space. T
Wiz
CVE-2025-52691 Impact, Exploitability, and Mitigation Steps | Wiz
blogs_wiz·CVSS 10.0
CVE-2025-52691 [CRITICAL] CVE-2025-52691 Impact, Exploitability, and Mitigation Steps | Wiz
## CVE-2025-52691 :
SmarterTools SmarterMail vulnerability analysis and mitigation
Successful exploitation of the vulnerability could allow an unauthenticated attacker to upload arbitrary files to any location on the mail server, potentially enabling remote code execution.
Source : NVD
## 10
Score
Published December 29, 2025
Severity CRITICAL
CNA Score 10.0
Affected Technologies
SmarterTools SmarterMail
Has Public Exploit Yes
Has CISA KEV Exploit Yes
CISA KEV Release Date N/A
CISA KEV Due Date N/A
Exploitation Probability Percentile (EPSS) 99.4
Exploitation Probability (EPSS) 87.3
Affected packages and libraries
cpe:2.3:a:smartertools:smartermail
Sources
Windows Severity CRITICAL Has Fix Added at: Jan 02, 2026
Windows Severity CRITICAL Has Fix Added at: Jan 04, 2026
Wiz
CVE-2026-26930 Impact, Exploitability, and Mitigation Steps | Wiz
blogs_wiz·CVSS 10.0
CVE-2026-26930 [CRITICAL] CVE-2026-26930 Impact, Exploitability, and Mitigation Steps | Wiz
## CVE-2026-26930 :
SmarterTools SmarterMail vulnerability analysis and mitigation
SmarterTools SmarterMail before 9526 allows XSS via MAPI requests.
Source : NVD
## 7.2
Score
Published February 16, 2026
Severity HIGH
CNA Score 7.2
Affected Technologies
SmarterTools SmarterMail
Has Public Exploit Yes
Has CISA KEV Exploit No
CISA KEV Release Date N/A
CISA KEV Due Date N/A
Exploitation Probability Percentile (EPSS) 2.3
Exploitation Probability (EPSS) N/A
Affected packages and libraries
cpe:2.3:a:smartertools:smartermail
Sources
NVD
Windows Severity HIGH Has Fix Added at: Feb 16, 2026
## Get a CVE risk assessment
Get a prioritized view of CVEs in your cloud—so you can focus on what's exploitable, not just what's listed.
## Related SmarterTools SmarterMail vulnerab
Wiz
CVE-2026-25067 Impact, Exploitability, and Mitigation Steps | Wiz
blogs_wiz·CVSS 10.0
CVE-2026-25067 [CRITICAL] CVE-2026-25067 Impact, Exploitability, and Mitigation Steps | Wiz
## CVE-2026-25067 :
SmarterTools SmarterMail vulnerability analysis and mitigation
SmarterTools SmarterMail versions prior to build 9518 contain an unauthenticated path coercion vulnerability in the background-of-the-day preview endpoint. The application base64-decodes attacker-supplied input and uses it as a filesystem path without validation. On Windows systems, this allows UNC paths to be resolved, causing the SmarterMail service to initiate outbound SMB authentication attempts to attacker-controlled hosts. This can be abused for credential coercion, NTLM relay attacks, and unauthorized network authentication.
Source : NVD
## 6.9
Score
Published January 29, 2026
Severity MEDIUM
CNA Score 6.9
Affected Technologies
SmarterTools SmarterMail
Has Public Exploit No
Has CISA KEV
Wiz
CVE-2026-23760 Impact, Exploitability, and Mitigation Steps | Wiz
blogs_wiz·CVSS 10.0
CVE-2026-23760 [CRITICAL] CVE-2026-23760 Impact, Exploitability, and Mitigation Steps | Wiz
## CVE-2026-23760 :
SmarterTools SmarterMail vulnerability analysis and mitigation
SmarterTools SmarterMail versions prior to build 9511 contain an authentication bypass vulnerability in the password reset API. The force-reset-password endpoint permits anonymous requests and fails to verify the existing password or a reset token when resetting system administrator accounts. An unauthenticated attacker can supply a target administrator username and a new password to reset the account, resulting in full administrative compromise of the SmarterMail instance. NOTE: SmarterMail system administrator privileges grant the ability to execute operating system commands via built-in management functionality, effectively providing administrative (SYSTEM or root) access on the underlying host.
Source
Recorded Future
January 2026 CVE Landscape: 23 Critical Vulnerabilities Mark 5% Increase, APT28 Exploits Microsoft Office Zero-Day
blogs_recorded_future·CVSS 4.9
[MEDIUM] January 2026 CVE Landscape: 23 Critical Vulnerabilities Mark 5% Increase, APT28 Exploits Microsoft Office Zero-Day
# January 2026 CVE Landscape: 23 Critical Vulnerabilities Mark 5% Increase, APT28 Exploits Microsoft Office Zero-Day
January 2026 saw a modest 5% increase in high-impact vulnerabilities, with Recorded Future's Insikt Group® identifying 23 vulnerabilities requiring immediate remediation, up from 22 in December 2025. Noteworthy trends last month included Russian state-sponsored exploitation of a Microsoft Office zero-day and critical authentication bypass flaws affecting enterprise infrastructure.
What security teams need to know:
- APT28's Operation Neusploit: Russian state-sponsored actors exploited CVE-2026-21509 (Microsoft Office) via weaponized RTF files, delivering MiniDoor, PixyNetLoader, and Covenant Grunt implants
- Microsoft and SmarterTools lead concerns: These vendors accounte
Greynoiseio
NoiseLetter February 2026
blogs_greynoiseio
NoiseLetter February 2026
CVE Disclosure Early Warning Get an early warning when traffic spikes indicate a high likelihood of new disclosures
Compromised Asset Detection Find out immediately if an asset communicates with a malicious IP address
Vulnerability Prioritization Get real-time insight into active exploitation trends to better understand risk and severity
SOC Efficiency Filter out noisy, low priority and false-positive alerts from mass internet scanners
Incident Investigation Add context to incidents to speed the determinations of scope and timelines
Threat Hunting Quickly identify anomalous behavior and enrich your threat hunting campaigns
Why GreyNoise
CVE Disclosure Early Warning Get an early warning when traffic spikes indicate a high likelihood of new disclosures
Compromised Asset Detection Fin
https://code-white.com/public-vulnerability-list/#systemadminsettingscontrollerconnecttohub-missing-authentication-in-smartermailhttps://www.smartertools.com/smartermail/release-notes/currenthttps://www.vulncheck.com/advisories/smartertools-smartermail-unauthenticated-rce-via-connecttohub-apihttps://www.cisa.gov/known-exploited-vulnerabilities-catalog?field_cve=CVE-2026-24423
2026-01-23
Published
2026-02-05
Added to CISA KEV
Exploited in the wild